Active Directory security concerns

Customizing Active Directory to improve functionality and scalability can be tempting, but be aware of the security concerns. Contributor Serdar Yegulalp points out some of these concerns and suggests ways to handle them.

The structure of Active Directory (AD) -- the formatting of records, the type of information stored in it, etc. -- is referred to as its schema. Since AD is basically a database, the default schema is not set in stone and it can in fact be changed if needed. That said, extending the AD schema is not something you want to do trivially. The presence of third-party products that do this can complicate the issue, especially as far as security...

is concerned.

The first thing to be conscious of when using these products is that any additions to the schema are typically available by default in a read-only fashion to everyone. If you extend the schema, you also need to take into account what kind of access to grant to the new schema elements -- who gets to add or change these new elements, whether or not they can be seen by most users, etc.

For more information
  • Create usable boundaries within AD
  • Active Directory admin tips
  • Likewise, if you're extending the schema to work with a custom or third-party application (or if the app itself is making the changes), you should regard those changes as a possible security hole unless they are explicitly dealt with by the app itself or by work you do.

    Also, schema changes cannot be undone without rolling back the AD store as a whole. You can modify or deactivate a given class or attribute, but changes cannot be deleted completely. If you can spare the time and resources, set up an isolated test forest (perhaps via Microsoft Virtual Server) where you can try out the results of your schema extensions in a controlled way. If the extensions you're considering are pretty major or may have an impact on the way AD is routinely accessed and changed, it will absolutely be worth the time and effort.

    About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!


    This was first published in April 2006

    Dig deeper on Microsoft Active Directory Security

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchServerVirtualization

    SearchCloudComputing

    SearchExchange

    SearchSQLServer

    SearchWinIT

    SearchEnterpriseDesktop

    SearchVirtualDesktop

    Close