securing active directory

TechNet Security Summit 2004 1.

Securing Active Directory

Jimmy AnderssonPrincipal Advisor

Q Advice AB

[email protected]


Agenda• AD Design (overview)• DNS Design (overview)• GPO Security Settings • Understanding the Schema• Securing Active Directory


AD Design• Step 1: Understand your requirements

– Political autonomy• Divisions of organization with autonomous IT

– Operational isolation• Isolate extranet from intranet systems

– Legal/regulatory isolation


AD Design• Step 2: Understand your ability to control service admins

and limit physical placement of DCs– Cannot prevent malicious service admins from controlling services

or accessing data in any domain in forest– Consider the ramifications of the coerced administrator scenario

• An admin may be trustworthy, but what if they are legally (or otherwise) compelled to act against the best interest of the organization?


AD Design

• Step 3: Select appropriate directory structure based on requirements– Windows Server 2003 Deployment Guide

http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en


• In practice, single forest with OUs for delegation is best model– All service admin handled by single, globally trusted team– Data admins get OUs– Geographic domains for partitioning of replication, as necessary

• If OU is insufficient create separate forest(s)– If need service autonomy or isolation– If no globally trusted service admin team

AD Design


• Domain boundary – Boundary when considering management– Replication control– Domains do not provide complete isolation from malicious service

admins

• Forest boundary– Only true security boundary– Provide complete isolation and autonomy

AD Design


• A dedicated forest root domain – Does not provide additional security– Benefits include:

• Reduce likelihood of non-malicious error by Enterprise Admins by clearly separating from Domain Admins of operational domains

• Never becomes obsolete

• Enables easy transfer of forest ownership

• Removing EA from child domains– Does not block access by malicious forest root service admins

AD Design


• Extranet scenario– Forest(s) for computers in intranet– Separate forest for servers in extranet

• “Isolate secret project” scenario– One large corporate forest for day-to-day– Separate forest with separate accounts, computers, and network

for secret project

AD Design


• Decentralized IT scenario– Division A, division B both with own IT budget and staff– Divisions used to having admin control– Central CIO office recommends policy, but in practice cannot

dictate or enforce– What do you do?

• One forest, central runs root, divisions get domains?

• One forest per division?

AD Design


DNS Design (overview)


• Simple design – BUT risk external exposure of namespace and SRV records

• Potentiall complex set of permissions to update and manage DNS zone information

• SRV records are intermingled with all resource records in the organization

Single Namespace


• Subzone of public namespace is delegated to AD• Segregates AD SRV records from pub available records• Management of specific portion of DNS

Delegated Namespace


• Alleviates concerns over who will manage AD portion of DNS

• Can hamper the scalability of AD

Internal Namespace


• Allows same namespace for AD both int and ext but not same DNS infrastructure

• Allows isolation of AD DNS infrastructure• Preserve public scalability• Most likely manual replication of entries

Segmented Namespace


• Secure Dynamic Update• DNS records as AD Objects• Zone transfer security• IPSec between Client and Server (covered by Thomas

Lee later today)• DNS Cache

AD Integrated Zones


Secure Dynamic Update– The third option; only allows secure dynamic updates– DNS Server will forward attempt to AD– Change will be compared to the DACL on the zone obj and to

the resource record (if it exists)– Change only occur if computer has necessary permissions

AD Integrated Zones


DNS records as AD Objects– Resource records stored as AD obj– Security can be configured as your organization requires

AD Integrated Zones


Zone transfer security– Std default zone transfer records sent as clear text– Req additional config to secure connection between DNS

Servers– DNS zones stored as AD int obj AD replication is used to

transfer zone updates– AD replication is automatically encrypted by using RPC

encryption by default

AD Integrated Zones


Protecting the DNS Cache– If server is not authoritative for the RR it will check cache before

it queries other servers– Cache pollution: an attacker adds entries into the cache to

redirect clients– Enable Secure Cache Against Pollution option on the server– If enabled, inspects response from another server to determine

whether referenced names are pollution attempts

Referral record to different namespace might not be cached even if it’s valid.

AD Integrated Zones


GPO Security Settings

Understanding the affects of implementation

Examples of Compatibility Issues That May Occur


Shut down system immediately if unable to log security audits 1/2• Windows 2000: may stop logging events before the specified size

is reached. This bug is fixed in Windows 2000 Service Pack 4 (SP4)

• Windows 2000, Windows Server 2003: may stop responding and then may spontaneously restart if the log is full and if an existing event log entry cannot be overwritten

• Microsoft Network Client for MS-DOS, Windows 95, Windows 98, Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003: Non-administrators who try to log on to a domain will receive the following error message:

– Your account is configured to prevent you from using this computer. Please try another computer

• Windows 2000: On Windows 2000-based computers, non-administrators will not be able to log on to remote access servers, and they will receive an error message that is similar to the following:

– Unknown user or bad password


• Windows 2000: On Windows 2000 domain controllers, the Intersite Messaging service (Ismserv.exe) will stop and will not be able to be restarted

• Windows 2000:Active Directory replication will fail, and an "Access Denied" message will appear if the security event log is full

• Microsoft Exchange 2000: Will not be able to mount the information store database, and event 2102 will be registered in the event log

• Outlook, Outlook Web Access: Non-administrators will not be able to access their mail through Microsoft Outlook or through Microsoft Outlook Web Access, and they will receive a 503 error

Shut down system immediately if unable to log security audits 2/2


LDAP server signing requirements • Simple binds will fail, and you will receive the following error

message:– Ldap_simple_bind_s() failed: Strong Authentication Required

• Windows 2000 Service Pack 4, Windows XP, Windows Server 2003: Some AD admin tools will not operate correctly against DCs that are running Windows 2000 pre-SP3 when NTLM authentication is negotiated

• Windows 2000 Service Pack 4, Windows XP, Windows Server 2003: Some AD admin tools that target DCs that are running versions of Windows 2000 pre-SP3 will not operate correctly if they are using IP addresses (example, "dsa.msc /server=x.x.x.x" where x.x.x.x is an IP address)

• Windows 2000 Service Pack 4, Windows XP, Windows Server 2003: Some AD admin tools that target domain controllers that are running versions of Windows 2000 pre-SP3 will not operate correctly


LDAP client signing requirements

• Enabling the LDAP client signing requirements setting is a risky configuration. If you set the server to require LDAP signatures, you must also configure LDAP signing on the client. Not configuring the client to use LDAP signatures will prevent communication with the server; this will cause user authentication, Group Policy settings, logon scripts, and other features to fail.


Require strong (Windows 2000 or later) session key

• Windows NT 4.0: On Windows NT 4.0-based computers, resetting secure channels of trust relationships between Windows NT 4.0 and Windows 2000 domains with NLTEST fails with "Access Denied" error message:

– The trust relationship between the primary domain and the trusted domain failed


Digitally encrypt or sign secure channel data (always) 1/2

• Windows 2000: Will not be able to join Windows NT 4.0 domains and will receive the following error message:

– The account is not authorized to log in from this station• Windows NT 4.0: Windows NT 4.0 domains will not be able to

establish a down-level trust with a Windows 2000 domain and will receive the following error message:

– The account is not authorized to log in from this station– Existing down-level trusts may also not authenticate users from the

trusted domain. Some users may have difficulty logging on to the domain, and they may receive an error message that states that the client cannot find the domain

• Microsoft Network: Microsoft Network clients will receive one of the following error messages:

– Logon failure: unknown username or bad password– There is no user session key for the specified logon session


• Windows XP: Clients that are joined to Windows NT 4.0 domains will not be able to authenticate logon attempts and may receive the following error message, or the following events may be registered in the event log: – Windows cannot connect to the domain either because the domain

controller is down or is otherwise unavailable or because your computer account was not found

– Event 5723: The session setup from computer ComputerName failed to authenticate. The name of the account referenced in the security database is ComputerName. The following error occurred: Access is denied.

– Event 3227: The session setup to the Windows NT or the Windows 2000 domain controller Server Name for the domain Domain Name failed because Server Name does not support signing or sealing the Netlogon session. Upgrade the domain controller, or set the RequireSignOrSeal registry entry on this computer to 0

Digitally encrypt or sign secure channel data (always) 2/2


Domain Member: Digitally sign communications (always)

• Windows NT 4.0: Not able to reset the secure channel of a trust between a Windows Server 2003 domain and a Windows NT 4.0 domain by using NLTEST or NETDOM, and you will receive an "Access Denied" error message

• Windows XP: Copying files from Windows XP clients to Windows 2000-based servers and to Windows Server 2003-based servers

may take more time – You will not be able to map a network drive from a client with this

setting enabled, and you will receive the following error message:

• The account is not authorized to log in from this station


Microsoft Network Client: Digitally sign communications (always)

• Windows 95: Without the DS Client installed, fail logon authentication and receive the following error message:

– The domain password you supplied is not correct, or access to your logon server has been denied

• Windows NT 4.0: Client pre-SP 3 will fail logon authentication and will receive the following error message:

– The system could not log you on. Make sure your username and your domain are correct, then type your password again

• The following clients are incompatible with the Microsoft network server: Digitally sign communications (always) setting:

– Apple Computer, Inc., Mac OS X clients – Microsoft MS-DOS network clients (for example, Microsoft LAN Manager) – Microsoft Windows for Workgroups clients – Microsoft Windows 95 clients without the DS Client installed – Microsoft Windows NT 4.0-based computers without SP3 or later installed – Novell Netware 6 CIFS clients – SAMBA SMB clients that lack support for SMB signing


Network access: Allow anonymous SID/Name translation

• Windows NT 4.0: Computers in Windows NT 4.0 resource domains will display the "Account Unknown" error message in ACL Editor if resources, including shared folders, shared files, and registry objects, are secured with security principals that reside in account domains that contain Windows Server 2003 domain controllers


Network access: Do not allow anonymous enumeration of SAM accounts

• SMS: Network Discovery will not be able to obtain operating system information and will write "Unknown" in the OperatingSystemNameandVersion property.

• Windows 95, Windows 98: Clients will not be able to change their passwords.

• Windows NT 4.0: Member computers will not be able to be authenticated.

• Windows 95, Windows 98: will not be able to be authenticated by Microsoft domain controllers.

• Windows 95, Windows 98: Users on Windows 95-based and Windows 98-based computers will not be able to change the passwords for their user accounts.


Do not allow anonymous enumeration of SAM accounts and shares 1/3

• Windows NT 4.0: When RestrictAnonymous is enabled• Windows NT 4.0: Adding users or global groups from trusted

Windows 2000 domains to Windows NT 4.0 local groups in User Manager will fail with the following error message:

– There are currently no logon servers available to service the logon request

• Windows NT 4.0: Not able to join domains during setup or by using the domain join user interface

• Windows NT 4.0: Establishing a down-level trust with Windows NT 4.0 resource domains will fail with the following error message when RestrictAnonymous is enabled on the trusted domain:

– Could not find domain controller for this domain• Windows NT 4.0: Users who log on to Terminal Server computers

will map to the default home directory instead of the home directory that is defined in User Manager for domains


• Windows NT 4.0: BDCs will not be able to start the Net Logon service, obtain a list of backup browsers, synchronize the SAM from Windows 2000 or from Windows Server 2003 DCs in the same domain

• Windows 2000: Member computers in Windows NT 4.0 domains will not be able to view printers in external domains if the No access without explicitly anonymous permissions setting is enabled in the local security policy of the client computer

• Windows 2000: Domain users will not be able to add network printers from AD; however, they will be able to add printers after they select them from the tree view

• Windows 2000: ALC Editor will not be able to add users or global groups from trusted Windows NT 4.0 domains

• ADMT version 2: Password migration for user accounts that are migrated between forests with ADMTv2 will fail

• Outlook clients: The global address list will appear empty to Microsoft Exchange Outlook clients



• SMS: Network Discovery will not be able to obtain the operating system information. Therefore, it will write "Unknown" in the OperatingSystemNameandVersion property of the SMS DDR property of the discovery data record (DDR)

• SMS: When you use the SMS Administrator User Wizard to browse for users and for groups, no users and no groups will be listed

• SMS: When you are using the Network Discovery feature in SMS 2.0 and in Remote Client Installation with the Topology, client, and client operating systems network discovery option turned on, computers may be discovered but may not be installed



LanManager authentication level

• Windows 2000: If a Windows 2000 domain with NTLMv2 Level 2 or later is trusted by a Windows NT 4.0 domain, Windows 2000-based member computers in the resource domain may experience authentication errors.

• Windows 2000: Windows 2000 clustering does not authenticate a joining node if both nodes are part of a Windows NT 4.0 Service Pack 6a (SP6a) domain.


Understanding the Schema


Attributes

• Represents the possible properties that can be used in object classes

• Defined one time and reused for each object class which they are associated


Object Classes• Collections of attributes that can be instantiated to create

objects, some are mandatory others are optional• Based on X.500 1993 specification for DS that defines

hierarchal structure of classes.• X.509 requires that object classes be assigned to one of

the following categories:– Structural– Abstract– Auxiliary


Structural Classes• Creating objects in Active Directory• Can be used in defining the structure of the directory• Derived from either an abstract class or another

structural class• Its definition can include any number of auxiliary classes


Abstract Classes• Templates to derive new structural classes• Can’t be instantiated in the directory (objs can’t belong to

an abstract class only; each obj must also belong to some non-abstract subclass)

• Can be derived from an existing abstract class• Provide attributes for subordinate classes (subclasses)

– Subclasses contain all mandatory and optional attributes of the class from which it derived from (superclass), in addition to those attributes specific to the class itself


Auxiliary Classes• Contain a list of attributes• Can’t be instantiated in the directory• Can be derived from existing aux classes• Adds the aux class’s attributes to the definition of a

structural or abstract class


Class Derivation

TopTop

Mandatory

Optional

objClass XobjClass X

New


Securing Active Directory


Security Descriptor• All objects and their properties have SDs• Control access to objects and values of the

obj’s attributes• Includes a discretionary access control list

(DACL)• Includes a system access control list (SACL)• Includes obj’s ownership data

Header

SecurityDescriptor

Owner SID

Group SID

ACEs

ACEs

DACL

SACL


Security Descriptor• The nTSecurityDescriptor attribute holds the SD as

a binary blob– Can be viewed and translated using LDP

• LDP translates the blob to Security Descriptor Definition Language (SDDL) format

• The simplest way is to view the ACL via the security UI– The UI doesn’t always show the “truth”!


View SD through LDP


Setting the Security Descriptor

objectGUID of deleted objects

container


Dssec.dat

• File that filters the “visible” attributes to which one can control permissions in the GUI

• Editing allows exposing of additional attributes, e.g., UserAccountLockout


Displayedattributescontrolledby dssec.dat

[serviceInstance]@=7adminDescription=7adminDisplayName=7

[user]aCSPolicyName=7adminCount=7allowedAttributes=7allowedAttributesEffective=7allowedChildClasses=7

[volume]adminDescription=7adminDisplayName=7allowedAttributes=7allowedChildClassesEffective=7

%SystemRoot%\System32\dssec.dat

…………………

…………………

UI Security Tab

Do NOT display attribute in Permissions field

No entry or = 0: display read/write= 1: display write= 2: display read


View dssec.dat


Security Descriptor Definition Language

O:owner_sidG:group_sidD:dacl_flags(string_ace1)(string_ace2)... (string_acen)S:sacl_flags(string_ace1)(string_ace2)... (string_acen)

Primary group has no significance in AD

D=DACLS=SACL

• dacl_flags– AI for auto inherit (always set)– PAI for protected


Security Descriptor Definition Language

ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid

A=access allowedD=access deniedOA=object access allowedOD=object access denied

CI=container inheritOI=object inheritNP=no propagationIO=inherit onlyID=inherited ACE

GUID of attribute, extended right orproperty set

Permissions to be set

GUID of object type to inherit permission


SDDL ExamplesAuthenticated users full control on this objectPAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)

Authenticated users full control on this object and all objectsO:DAG:DUD:PAI(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)

Authenticated users full control on child objects onlyO:DAG:DUD:PAI(A;CIIO;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)

Read admin description this object only(OA;;RP;bf967919-0de6-11d0-a285-00aa003049e2;;AU)

Read and write location string on printer objects(OA;CIIO;RPWP;09dcb79f-165f-11d0-a064-00aa006c33ed;bf967aa8-0de6-11d0-a285-00aa003049e2;AU)

Read and write location string on printer objectswithin this container only(OA;CINPIO;RPWP;09dcb79f-165f-11d0-a064-00aa006c33ed;bf967aa8-0de6-11d0-a285-00aa003049e2;AU)


Object Access• Access to directory objects is controlled via Discretionary Access Control Lists

(DACLs)

• Fine granularity is provided by Access Control Entries (ACEs) that apply to specific attributes

DirectoryObject

DirectoryObject

DACL

IT Managersread access

IT Managersread access

ACE

ACEs can apply to specific attributes


DACL• Discretionary Access Control List• Consists of:

– Header– SID (user)– SID (group)– Generic Deny ACEs– Generic Allow ACEs– Object-specific Deny ACEs– Object-specific Allow ACEs

DACL

Header

Owner SID Owner group SID

Generic deny ACEs

Generic allow ACEs

Object-specific deny ACEs

Object-specific allow ACEs


Object DACLs• Objects can inherit DACLs as well as having them

explicitly set

DirectoryObject

DirectoryObject

OU

DACL

DACL

Inheritable ACL

DACL

DACL applies to OU

DACL Explicit ACL


Resource access• Access to the directory object doesn’t mean you

can gain access to the resource

OU OU OU

Domain

DACL

DACL DACL

DACL

DACL

The resource is still protected by its own DACLs


ACE• ACEs can be set on an OU that apply

– To the OU– To all contained objects– To specific types of child objects

• For example users, groups, shared folders and printers

• The inheritable ACEs for specific types of objects provide delegated administration capabilities


Anatomy of an ACE (example)

ACE Type

Audit

Access Mask

Object Type

Inherited Object Type

Inheritance

Trustee(SID)

AccessAllowed Denied Audit

Success FailAccess

Applies toObject Attribute Extended right

Identifies security principal to which the ACE applies

Specifies type of access

Delete

Read/Write object security

Generic Read/Write – access to object and all attributes

Create/Delete child

Read/Write property

Extended write operation


Extended Rights

• Used to define special operations and property sets• Special operations include resetting passwords, managing replication

and changing FSMO roles

• Identified by ControlAccessRight objs created in cn=extended-rights,cn=configuration…


ControlAccessRight Object

• A controlAccessRight object is used to control access to each special operation

CN=extended-rights,CN=configuration…

CN=User-Change-Password

rightsGUID

ACEs

displayName

Name used in the security UI

controlAccessRight objects

appliesTo

Used in ACE to Allow or DenyAccess to the special operation

Multi-valued attributesHolds the schemaIDGUID for

all object types associated with this special operation


Property SetsCN=extended-rights,CN=configuration…

CN=Personal-Information

rightsGUID

ACEs

displayName

Name used in the security UI

controlAccessRight objects

appliesTo

Used in ACE to Allow or DenyAccess to the property set

Multi-valued attributesHolds the schemaIDGUID for

all object types associated with this property set

An attribute is a member of the property set if its attributeSecurityGUID

value is the same as the rightsGUID value


ACEs• Each ACE grants or denies permissions for an individual security

principal• The DACL is only checked until the requested access has been

granted or denied

AllowSID3RX

DENYSID1

W

AllowSID1RX

AllowSID3

W


ACE ordering• An object’s explicit ACEs are checked in advance of inherited ACEs• In some cases access can be granted or denied based on just the

explicit DACL

AllowSID3

R

DENYSID20

W

AllowSID1

R

AllowSID3

W

DENYSID1RWD

DENYSID15RWX

AllowSID11

R

AllowSID31

W

Explicit

Inherited


Initial object ACL• Set programmatically during creation• Inherited DACL from parent combined with explicit

schema default DACL for the particular object type

DirectoryObject

DirectoryObject

OU

DACL

DACL

Inheritable DACL

DACL

Explicit DACL fromthe schema


Viewing the Default Permissions

• The default permissions are stored in the Schema– Location: defaultSecurityDescriptor attribute

• Stored as an SDDL Unicode string– For full details of SDDL see the SDK documentation


User Object Default SecurityD:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)

(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RPWP;77B5B886-944A-11d1-AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B2-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B3-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;AU)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77B5B886-944A-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;E45795B3-9455-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;WPRP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)


Explicit ACLs

• Objects can inherit ACLs as well as having them explicitly set

DirectoryObject

DirectoryObject

OU

ACL

ACL

Inheritable ACL

ACL

ACL applies to OU

ACL Explicit ACL


Modifying the Default Explicit Permissions

• The schema defaults can be modified• Schema defaults can be reapplied using dsacls • Take great care reapplying the schema defaults

New DACL New Obj’s


Controlling Object Visibility

• For many of the objects, the default ACL from the schema provide Read for the Authenticated Users – This ACE must be removed to control visibility

HRdata

ACL Read volume objects: HR domain users corporate managers

X X X

Remove explicit Read for Authenticated Users


List Object Mode

• The List Object mode allows the contained objects to be hidden– Note that additional CPU cycles required for access checking

List contents allows users to see the existence of contained objects even if access is denied to some of those objects

G1: list contents

G1: accessallowed

G1: list object

G1: accessallowed

G1: accessdenied


List Content vs. List Object

Content Object


Selecting List Object Mode

• Set the third dsHeuristic flag to 1• First two flags control the ANR search algorithm


AdminSDHolder

• The ACL on user accounts that are members of one or more “protected” groups are automatically set and refreshed to enhance security – The propagator thread runs every hour on the PDC FSMO

ACL

Member of a protected group

ACL

cn=AdminSDHolder,cn=system,dc=domain,dc…

Template ACL

If different, replace anddisable inheritance


Protected Groups

– Administrators– Account Operators– Server Operators– Print Operators– Backup Operators

The adminCount on protected groups is greater than or equal to 1

– Domain Admins– Schema Admins– Enterprise Admins– Cert Publishers

Windows 2003 & 2000 with hotfix 327825


View adminCount


Default Template

• The default ACL template on AdminSDHolder cannot be fully edited through the UI– For example, there is no Change Password ACE for a container

• Change the template with dsacls

dsacls cn=adminsdholder,cn=system,dc=…. /G “Everyone:CA;Change Password”


Managing Directory ACLs

• Delegation of Control Wizard for task-based control• Always set permissions for security groups • Security Tab for raw control


Security groups

• Use security groups with the appropriate scope and membership

• Universal groups• Global groups• Domain Local groups

groupType:1.2.840.113556.1.4.804:=2147483648


Summary & More Information

http://www.microsoft.com/ad

http://www.microsoft.com/security

[email protected]


Q&A

securing active directory

Documents