Parse the Active Directory information exposed to the user

Most IT professionals usually process the following tasks:

· Physical access

· Access through a firewall Network

· Access Services on the server

· Access to applications

The main work of IT personnel is to protect the above fields, but what about the information stored in Active Directory? When using the Windows Server 2008 domain controller, most people feel at ease with the built-in security features of this technology. However, you must know that common users may also use simple tools to obtain sensitive information. In addition, you also need to check whether users can use the built-in compatibility feature of Active Directory (all functions available in Versions later than Windows Server 2000) to view more sensitive information.

In this article, we will discuss what information in Active Directory can be seen by common domain users and why users can see this information.

Security Questions

In Active Directory, a lot of information is usually stored, including domain configuration, various account types, printers and shared files. Of course, we can also use software to store more information and use Active Directory to store configuration data. This software may be a business accounting application or a security device that uses directory as the configuration application and domain user. Therefore, it is important to check which information on the domain controller and Global Catalog server can be viewed by domain users (or even anonymous users.

The Network Infrastructure Construction of enterprises should be as secure as possible. We usually allow security personnel to install firewalls and encryption technologies to restrict all access to networks, servers and applications, access control is implemented through user login authentication or other types of Identity Authentication (such as smart card and biometric identification technology.

Only authenticated users can access the network resources they need for their work. IT personnel must ensure that users access the correct shared files, printers, mailboxes and applications. Can some "spyware" enterprise users use other methods to obtain information stored on the AD? Have you checked your Active Directory as a standard domain user account? If you are responsible for domain security, you must find out which information is exposed to users by default.
Check Directory

If you want to check which information is exposed to users, you can log on as a normal user in the test environment (default domain settings). First, visit the Microsoft TechNet SysInternals website, download and run the AD browser from the website. In Figure 1, you can see the author's domain and certificate:

Figure 1: Active Directory browser logon box

In Figure 2, we can see more property settings and a lot of restriction information (such as passwords and audit policies). If enterprises have good password policies (including locking policies ), there will be no major security issues.

Figure 2: domain attributes that can be viewed by common domain users

As shown in figure 3