Pre-Windows 2000 Compatible Access Group permission vulnerability

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Windows NT was notorious for the amount of information available to hackers and penetration teams as configured out of the box. It was possible for a guest to get a list of shares, the list of users, groups, ad nausem. Microsoft released a method to restrict anonymous connections . It appears Microsoft is repeating old mistakes in the Active Directory realm. The Pre-Windows 2000 Compatible Access group grants Everyone the same ability to browse through the Active Directory, to read permissions on every attribute of every object. OUCH! This is a little too much free information flow.

The default membership of Pre-Windows 2000 Compatible Access group includes the Everyone group. To tighten up the system you need to remove the Everyone group from the Pre-Windows 2000 Compatible Access group .

You need to test. Just like the Windows NT anonymous connections issues, you may not be able to close the whole because of unique issues within your enterprise. Certain down level clients may not function, particularly Win9x clients.

See Also

Featured Links