June 3, 2011, 9:07 p.m.
posted by trystan
Managing the Confidentiality Bit
You want to manage the confidentiality of a schema attribute.
' This code safely modifies the confidentiality bit of an attribute. ' ------ SCRIPT CONFIGURATION ------ strAttribute = "<schemaAttributeDN>" ' e.g. "cn=SalesUser-Description,cn=Schema, ' cn=Configuration,dc=rallencorp,dc=com" strAttr = "searchFlags" ' e.g. rallencorp-UserProperties boolEnableBit = <TRUEorFALSE> ' e.g. TRUE intBit = 128 ' ------ END CONFIGURATION -------- set objAttribute = GetObject("LDAP://" & strAttribute) intBitsOrig = objAttribute.Get(strAttr) intBitsCalc = CalcBit(intBitsOrig, intBit, boolEnableBit) if intBitsOrig <> intBitsCalc then objObject.Put strAttr, intBitsCalc objObject.SetInfo WScript.Echo "Changed " & strAttr & " from " & intBitsOrig & " to " & intBitsCalc else WScript.Echo "Did not need to change " & strAttr & " (" & intBitsOrig & ")" end if Function CalcBit(intValue, intBit, boolEnable) CalcBit = intValue if boolEnable = TRUE then CalcBit = intValue Or intBit else if intValue And intBit then CalcBit = intValue Xor intBit end if end if End Function
The confidentiality bit is a new addition to Windows Server 2003 Service Pack 1 that allows you to restrict access to attributes that should not be accessible to all users. For example, you may have created an attribute to store user Social Security Number information. Even though this attribute may be populated for every user object in the directory, you will likely wish to restrict access to that specific attribute to only a subset of your personnel. The confidentiality bit is set in the searchFlags attribute by setting bit 8 (128) to a value of 1. Once you've done this, the Read permission on that attribute will not be sufficient to access the information stored in it; you'll need to grant the Control_Access permission to allow a user or group to view the contents of the attribute using LDP. (Unfortunately, the current version of dsacls does not allow you to set the Control_Access permission via the command line.)
While the confidentiality bit is a great improvement in Active Directory security, it does have two significant limitations. The first is that there is not a supported mechanism to set the confidentiality bit on any attributes that are a part of the base schema; you can, however, obtain a list of these attributes by searching for attributes that have bit 4 (16 in decimal) set to 1.
Second, there are certain default permissions included with Active Directory that will still allow certain security principals to access the information stored in confidential attributes; these groups include the Administrators group, Account Operators, and any user or group who has the Full Control permission on an object containing a confidential attribute.
Recipe 4.15 for more on modifying a bitwise attribute and How the Active Directory Schema Works: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/e3525d00-a746-4466-bb87-140acb44a603.mspx