Windows – Restrict access to active directory attributes from a particular computer

active-directoryattributesSecuritywindows

I know that some attributes in AD are classified as personal information and some are classified as public information (see the "property set" column here – http://www.kouti.com/tables/userattributes.htm).

My question is, how do I use that information to hide those attributes when users are logged in from a particular computer. I'm thinking this would be a great extra layer of protection against data leakage if you were planning to put a computer in a public area. If the machine got compromised this should limit the amount of data that can dumped from AD.

I don't want to restrict access to these attributes based on the user account, I only want to restrict access to attributes classified as "personal information" from a particular computer.

Best Answer

If a user currently has access to read those attributes and you want to prevent them from reading those attributes only in certain locations, then about the only thing I can think that might do the trick is a RODC with FAS (Filtered Attribute Set).

http://technet.microsoft.com/en-us/library/cc753459%28v=ws.10%29.aspx

What you would do is setup a read only domain controller and have those public machines only point to that DC. Then you can extend the default Filtered Attribute Set to include the attributes you wish to hide (mark as confidential). This would prevent those attributes from being readable on the RODC.

This is actually listed as one of the benefits of a RODC.

http://technet.microsoft.com/en-us/library/cc770320%28v=ws.10%29.aspx

There might be other ways but I'm not really sure, I'm just the new guy here.

Related Solutions

Windows – Useful Command-line Commands on Windows

A little known one is

getmac

It shows the MAC address(es) of your network adapter(s).

Screenshot of running getmac from a Windows commandline window.

Windows server: restrict user by ip

You could do this with a URL Rewriter, like IIRF.

IIRF provides examples of how to block requests based on the IP address of the remote machine.

# Iirf.ini
#
# ini file for blocking by IP address
#

RewriteLogLevel 1
RewriteLog c:\inetpub\iirfLogs\Iirf
RewriteEngine ON
StatusUrl /iirfStatus
IterationLimit 5

RewriteCond %{REMOTE_ADDR} ^24\.132\.226\.94$  [OR]
RewriteRule ^/(.*)$ /$1 [F]

I think what you're doing is allowing based on IP address, so .. the reverse.

# Iirf.ini
#
# ini file for allowing requests by IP address range
#

RewriteLogLevel 1
RewriteLog c:\inetpub\iirfLogs\iirf
RewriteEngine ON
StatusUrl /iirfStatus
IterationLimit 5

# If the IP address is not in the specified range, return 404
# (NF = Not Found)
RewriteCond %{REMOTE_ADDR} ^(?!24\.132\.(\d+)\.(\d+))
RewriteRule ^/.*$ - [NF]

# If URL processing has gotten this far, do nothing (no rewrite),
# which means, implicitly, allow the request.

If you also want to allow access for authenticated users, you would have to modify that ini file to also consider an authentication cookie, or something.

Best Answer

Related Solutions

Windows – Useful Command-line Commands on Windows

Windows server: restrict user by ip

Related Topic