Home

Active Directory Explorer

%3CLINGO-SUB%20id%3D%22lingo-sub-926381%22%20slang%3D%22en-US%22%3EActive%20Directory%20Explorer%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-926381%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3EWhen%20using%20AD%20Explorer%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsysinternals%2Fdownloads%2Fadexplorer%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsysinternals%2Fdownloads%2Fadexplorer%3C%2FA%3E)%2C%20I%20found%20that%20a%20normal%20user%20can%20view%20too%20much%20information%20like%20this%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F139433i716083BAC4548297%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22AD_normal_user_2.jpg%22%20title%3D%22AD_normal_user_2.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3BDoes%20it%20happen%20by%20design%3F%20If%20not%2C%20what%20should%20I%20do%20for%20security%3F%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-926381%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-926538%22%20slang%3D%22en-US%22%3ERe%3A%20Active%20Directory%20Explorer%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-926538%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F430699%22%20target%3D%22_blank%22%3E%40nhatlt%3C%2FA%3E%26nbsp%3BCould%20you%20elaborate%20on%20which%20information%20you%20think%20is%20%22too%20much%22%20for%20a%20valid%20domain%20user%20account%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESensitive%20information%20is%20blocked%20already%20for%20standard%20users%2C%20some%20information%20could%20be%20protected%20further%20to%20harden%20the%20network%20against%20attackers%20trying%20to%20get%20as%20much%20information%20as%20possible%20(for%20example%2C%20enumeration%20of%20admin-group%20membership%20would%20be%20something%20you%20should%20look%20into).%3C%2FP%3E%3CP%3EFor%20example%3A%20Even%20if%20a%20user%20can%20view%20most%20properties%20of%20a%20computer%20object%2C%20he%20will%20not%20see%20the%20stored%20Bitlocker%20Recovery%20Information%20or%20a%20saved%20Administrator%20Password%20(if%20you%20are%20using%20LAPS).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20information%20a%20user%20can%20see%20should%20never%20pose%20any%20security%20problem.%20At%20best%2C%20it%20helps%20an%20attacker%20with%20valid%20domain%20credentials%20to%20get%20more%20information%20about%20your%20network.%3C%2FP%3E%3CP%3EIf%20an%20attacker%20sees%20all%20this%20information%20and%20your%20design%20is%20secure%2C%20you%20just%20helped%20him%20save%20some%20time.%20If%20your%20design%20ist%20not%20secure%20to%20begin%20with%2C%20hiding%20information%20won't%20make%20it%20more%20secure.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-929068%22%20slang%3D%22en-US%22%3ERe%3A%20Active%20Directory%20Explorer%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-929068%22%20slang%3D%22en-US%22%3E%3CP%3EAlso%20reach%20out%20to%20subject%20matter%20experts%20in%20dedicated%20sysinternals%20forums%20located%20here.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fen-US%2Fhome%3Fcategory%3Dsysinternals%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3Ehttps%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fen-US%2Fhome%3Fcategory%3Dsysinternals%3C%2FFONT%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
nhatlt
Occasional Visitor

Hi all,

When using AD Explorer (https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer), I found that a normal user can view too much information like this:

AD_normal_user_2.jpg

 Does it happen by design? If not, what should I do for security?

Thanks.

2 Replies

@nhatlt Could you elaborate on which information you think is "too much" for a valid domain user account?

 

Sensitive information is blocked already for standard users, some information could be protected further to harden the network against attackers trying to get as much information as possible (for example, enumeration of admin-group membership would be something you should look into).

For example: Even if a user can view most properties of a computer object, he will not see the stored Bitlocker Recovery Information or a saved Administrator Password (if you are using LAPS).

 

The information a user can see should never pose any security problem. At best, it helps an attacker with valid domain credentials to get more information about your network.

If an attacker sees all this information and your design is secure, you just helped him save some time. If your design ist not secure to begin with, hiding information won't make it more secure.

Also reach out to subject matter experts in dedicated sysinternals forums located here.

https://social.technet.microsoft.com/Forums/en-US/home?category=sysinternals

 

 

 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies