Active Directory Explorer

%3CLINGO-SUB%20id%3D%22lingo-sub-926381%22%20slang%3D%22en-US%22%3EActive%20Directory%20Explorer%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-926381%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3EWhen%20using%20AD%20Explorer%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsysinternals%2Fdownloads%2Fadexplorer%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsysinternals%2Fdownloads%2Fadexplorer%3C%2FA%3E)%2C%20I%20found%20that%20a%20normal%20user%20can%20view%20too%20much%20information%20like%20this%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F139433i716083BAC4548297%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22AD_normal_user_2.jpg%22%20title%3D%22AD_normal_user_2.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3BDoes%20it%20happen%20by%20design%3F%20If%20not%2C%20what%20should%20I%20do%20for%20security%3F%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-926381%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-926538%22%20slang%3D%22en-US%22%3ERe%3A%20Active%20Directory%20Explorer%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-926538%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F430699%22%20target%3D%22_blank%22%3E%40nhatlt%3C%2FA%3E%26nbsp%3BCould%20you%20elaborate%20on%20which%20information%20you%20think%20is%20%22too%20much%22%20for%20a%20valid%20domain%20user%20account%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESensitive%20information%20is%20blocked%20already%20for%20standard%20users%2C%20some%20information%20could%20be%20protected%20further%20to%20harden%20the%20network%20against%20attackers%20trying%20to%20get%20as%20much%20information%20as%20possible%20(for%20example%2C%20enumeration%20of%20admin-group%20membership%20would%20be%20something%20you%20should%20look%20into).%3C%2FP%3E%3CP%3EFor%20example%3A%20Even%20if%20a%20user%20can%20view%20most%20properties%20of%20a%20computer%20object%2C%20he%20will%20not%20see%20the%20stored%20Bitlocker%20Recovery%20Information%20or%20a%20saved%20Administrator%20Password%20(if%20you%20are%20using%20LAPS).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20information%20a%20user%20can%20see%20should%20never%20pose%20any%20security%20problem.%20At%20best%2C%20it%20helps%20an%20attacker%20with%20valid%20domain%20credentials%20to%20get%20more%20information%20about%20your%20network.%3C%2FP%3E%3CP%3EIf%20an%20attacker%20sees%20all%20this%20information%20and%20your%20design%20is%20secure%2C%20you%20just%20helped%20him%20save%20some%20time.%20If%20your%20design%20ist%20not%20secure%20to%20begin%20with%2C%20hiding%20information%20won't%20make%20it%20more%20secure.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-929068%22%20slang%3D%22en-US%22%3ERe%3A%20Active%20Directory%20Explorer%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-929068%22%20slang%3D%22en-US%22%3E%3CP%3EAlso%20reach%20out%20to%20subject%20matter%20experts%20in%20dedicated%20sysinternals%20forums%20located%20here.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fen-US%2Fhome%3Fcategory%3Dsysinternals%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3Ehttps%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fen-US%2Fhome%3Fcategory%3Dsysinternals%3C%2FFONT%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

Hi all,

When using AD Explorer (https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer), I found that a normal user can view too much information like this:

AD_normal_user_2.jpg

 Does it happen by design? If not, what should I do for security?

Thanks.

2 Replies
Highlighted

@nhatlt Could you elaborate on which information you think is "too much" for a valid domain user account?

 

Sensitive information is blocked already for standard users, some information could be protected further to harden the network against attackers trying to get as much information as possible (for example, enumeration of admin-group membership would be something you should look into).

For example: Even if a user can view most properties of a computer object, he will not see the stored Bitlocker Recovery Information or a saved Administrator Password (if you are using LAPS).

 

The information a user can see should never pose any security problem. At best, it helps an attacker with valid domain credentials to get more information about your network.

If an attacker sees all this information and your design is secure, you just helped him save some time. If your design ist not secure to begin with, hiding information won't make it more secure.

Highlighted

Also reach out to subject matter experts in dedicated sysinternals forums located here.

https://social.technet.microsoft.com/Forums/en-US/home?category=sysinternals