T 3.49 Incorrect configuration of Active Directory

Starting with Windows 2000 Server, the Windows server operating system has allowed individual administrative rights to be delegated to certain users, including rights to access sections of the Active Directory. The rights are delegated by assigning each detailed right individually in the Active Directory.

The following can occur due the complexity of the rights assignments in the Active Directory, for example when numerous individual rights are assigned specifically to individual object types or when authorisations are inherited:

• Administrators can have access to areas of the Active Directory that they are not permitted to administer.
• There can be areas of the Active Directory that are not protected by access rights, which means every user has access to this data.

The danger of unauthorised access due to incorrect configuration of the Active Directory access rights is even greater because, in particular, there are several access interfaces to the Active Directory, e.g. Active Directory Service Interfaces (ADSI) or Lightweight Directory Access Protocol (LDAP).

If trust relationships are set up between domains, then users in one domain will be able to access the resources in another domain. For this reason, a lack of planning of the trust relationships between the domains can lead to the granting of unintended access rights to the resources in a domain.

Operations that change the database structure of the Active Directory are especially critical:

• Changes to the Active Directory schema can cause the existing Windows system to be incompatible with other software packages that use Active Directory. Since some changes to the schema cannot be undone, this can mean that the existing system has to be completely reinstalled.

• When integrating a personal attribute into the "Global Catalog" of the Active Directory, there is a danger that personal data could also be accessible to persons outside of the actual target group.
• Example: In one company, the internal telephone numbers of the employees are stored in the Active Directory. If the company's computers form only one domain in the Active Directory tree of a large corporate network, then these internal telephone numbers would be distributed to every domain in the Active Directory tree when entered in the Global Catalog.

In order to ensure the Active Directory is configured securely even during ongoing operations, it is not only necessary to plan all security-related configuration changes carefully, but also to log the changes. If domain controllers are operated without sufficient logging, then there is a risk that unauthorised, security-related configuration changes will not be detected, and therefore will not be promptly corrected.