Security concerns of extended schema in Active Directory

More Information Learn about Active Directory's inherent security capabilities Submit your questions about Active Directory to SearchSecurity's identity management and access control to expert Joel Dubin

The structure of Active Directory -- the formatting of records, the type of information stored in it, etc. -- is referred to as its schema. Since AD is basically a database, the default schema is not set in stone and it can in fact be changed if needed. That said, extending the AD schema is not something you want to do trivially. The presence of third-party products that do this can complicate the issue, especially as far as security is concerned.

The first thing to be conscious of when using these products is that any additions to the schema are typically available by default in a read-only fashion to everyone. If you extend the schema, you also need to take into account what kind of access to grant to the new schema elements -- who gets to add or change these new elements, whether or not they can be seen by most users, etc.

Likewise, if you're extending the schema to work with a custom or third-party application (or if the app itself is making the changes), you should regard those changes as a possible security hole unless they are explicitly dealt with by the app itself or by work you do.

Also, schema changes cannot be undone without rolling back the AD store as a whole. You can modify or deactivate a given class or attribute, but changes cannot be deleted completely. If you can spare the time and resources, set up an isolated test forest (perhaps via Microsoft Virtual Server) where you can try out the results of your schema extensions in a controlled way. If the extensions you're considering are pretty major or may have an impact on the way AD is routinely accessed and changed, it will absolutely be worth the time and effort.

About the Author:
Serdar Yegulalp is editor of the Windows Power Users Newsletter.

This tip originally appeared on SearchWindowsSecurity.com

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Writing Wireshark network traffic filters Screencast: Collecting metadata with Metagoofil Video: Setting up a secure wireless network How to implement and enforce a social networking security policy New blacklists: Highly predictive or hardly worth it? Smartphone security: The growing threat of mobile malware Screencast: How Tor improves Web surfing privacy and security audits Workstation hard drive encryption: Overdue or overkill? Wireshark tutorial: How to sniff network traffic IE 8 beta 2 security features may mark improvements for browser security User Provisioning New Sun product illustrates identity management trend What tools provide user provisioning and single sign-on for PeopleSoft- and Unix-based products? User provisioning: Emerging product features reveal market's future Is it possible to write a batch file that allows user access to the local admin group for a short time? Quiz: The new school of enterprise authentication The steps of privileged account management implementation What are best practices for remote management of medical imaging devices? Enterprise role management: Trends and best practices Societe Generale bolsters internal controls, discovers second insider What guidelines do you recommend regarding best practices for user provisioning? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary AAA server  (SearchSecurity.com) authentication, authorization, and accounting  (SearchSecurity.com) federated identity management  (SearchSecurity.com) logon  (SearchSecurity.com) password synchronization  (SearchSecurity.com) RADIUS  (SearchSecurity.com) role mining  (SearchSecurity.com) user profile  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.