Why do I need Pre-Windows 2000 Compatible Access to enumerate group membership?

active-directory security ldap
12,269

You removed Authenticated Users from Pre-Windows 2000 Compatible Access in order to prevent users from reading each others UNIX password hashes. Pre-Windows 2000 Compatible Access has rights to read almost all properties of most objects and is how most non-admin security principals read object properties. Group membership is determined for a user by reading the memberOf attribute and, like unixUserPassword, the ability to read it by most of your users is now removed. The reason users who ARE in protected groups are NOT broken but users who are NOT in protected groups ARE broken is because, oddly-enough, the AdminSDHolder grants more permissive rights to read properties of protected objects than unprotected objects.

There's no "correct" answer to fix your issue since it's generally not a good idea to store confidential data in AD in the first place (this is exactly the reason why). You might look into setting the confidentiality bit. I've never done it but this KB article goes into detail: How to mark an attribute as confidential in Windows Server 2003 Service Pack 1

Share:
12,269

Related videos on Youtube

Doug
Author by

Doug

Updated on September 18, 2022

Comments

  • Doug
    Doug over 1 year

    I am trying to lock down security including removing the leaked password hashes that the UNIX addon creates. I removed Authenticated Users from the Pre-Windows 2000 Compatible Access group. However after doing this, a small portion of users could not log into various non-Windows things like Redmine, Subversion, our VPN etc. These services authenticate with a ldapbind user account and then use SSL LDAP to authenticate against AD and check group membership. We also use Linux machines running SSSD that authenticate via Kerberos and check group membership with LDAP.

    The problem I found is that group membership could not be enumerated for a small amount of users. They can be authenticated but not authorized. For example if I log onto a Linux box and do "id user" nothing would be found for these users. However "id user" would return the information for most of the users. I can't think of any difference between the user accounts that work and those that don't. What could be going on?

    • magdiel
      magdiel over 11 years
      Just an off-the-top-of-my-head question: you said you don't know of anything in common with the specific users. Are the "broken" users all in groups protected by AdminSDHolder (thekortrights.com/wp/?p=116) ?
    • Greg Askew
      Greg Askew over 11 years
      Why do you think that removing Authenticated Users from the Pre-Windows 2000 Compatible Access Group will make your system more secure?
    • Doug
      Doug over 11 years
      It looks like the broken users are all not in the protected groups. That might be significant, I'll have to read this.
    • Doug
      Doug over 11 years
      I want to remove Authenticated Users because when I ldapsearch any users since installing the UNIX add on there is a field called unixUserPassword which appears to have a hash of the password. In other words any user can read every other users password so far. According to this link, if I disable the pre-windows 2000 group it will fix this. en.gentoo-wiki.com/wiki/…
  • Doug
    Doug about 11 years
    btw after much research, I found that unixUserPassword was not in fact visible to all users -- same issue -- it just appeared so to me because I was in the admin groups.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Restrict ssh login from LDAP to users who have a /home directory
Min Security Rights to Preform LDAP Queries in Active Directory
What are the other alternative to test a LDAP connection on linux machine
Adding users to AD using LDAP
IIS7 give ApplicationPoolIdentity access to a network location
LDAP: How to add a new user to a group inside an OU
LDAP Error "User Name Not Found"
How best to recursively query AD Group membership in ASP.NET (using vb)
How to retrieve DirectoryEntry from a DirectoryEntry and a DN
Query active directory to get a user's roles in .NET