I ran into another search windows article today that sucked, I didn’t get the point and it wasn’t even close to being spelled out. This one, however, wasn’t written by Derek.Â
SECURITY CONCERNS OF EXTENDED SCHEMA IN ACTIVE DIRECTORY
Â
-
logon:
-
visitors:
-
- Journalized Theme Copyright © 2002–2024 Mike Little.
An interesting article, having read it I find myself searching for a point :0/
Were I to try and make a point based around this article – say, for instance, if my boss had recorded this as a video segment for a presentation that I had to give, it’d be something like this:
1. Schema can only be added, never deleted. Make a mistake in the schema design, deploy it to a production server, and you’re stuck with it forever.
2. Too many schema additions leads to a complexificated directory store. Your admins will misunderstand this directory store and make mistakes.
3. Treat Active Directory as globally-readable. Do not put anything in there that is private, without being completely sure that you have adequately secured it.
Sadly, I don’t think I can see this as a “security hole”, as the author wrote – a maintainability issue, perhaps, but not a security hole per se.
I, too, am trying to understand why a schema extension, in and of itself, should be considered a security hole. I am assuming the author means there is the potential for an information disclosure issue based on the data that gets stored. However, the author covers that previously.