Managing the Confidentiality Bit






Managing the Confidentiality Bit

Problem

You want to manage the confidentiality of a schema attribute.

Solution

Using VBScript
	' This code safely modifies the  
confidentiality bit of an attribute.
	' ------ SCRIPT CONFIGURATION ------
	strAttribute = "<schemaAttributeDN>"
	 ' e.g. "cn=SalesUser-Description,cn=Schema,
	 ' cn=Configuration,dc=rallencorp,dc=com"
	strAttr = "searchFlags"         ' e.g. rallencorp-UserProperties
	boolEnableBit = <TRUEorFALSE> ' e.g. TRUE
	intBit = 128
	' ------ END CONFIGURATION --------

	set objAttribute = GetObject("LDAP://" & strAttribute)
	intBitsOrig = objAttribute.Get(strAttr)
	intBitsCalc = CalcBit(intBitsOrig, intBit, boolEnableBit)

	if intBitsOrig <> intBitsCalc then
	   objObject.Put strAttr, intBitsCalc
	   objObject.SetInfo
	   WScript.Echo "Changed " & strAttr & " from " & intBitsOrig & " to " & intBitsCalc
	else
	   WScript.Echo "Did not need to change " & strAttr & " (" & intBitsOrig & ")"
	end if


	Function CalcBit(intValue, intBit, boolEnable)

	   CalcBit = intValue

	   if boolEnable = TRUE then
	      CalcBit = intValue Or intBit
	   else
	      if intValue And intBit then
	         CalcBit = intValue Xor intBit
	      end if
	   end if

	End Function

Discussion

The confidentiality bit is a new addition to Windows Server 2003 Service Pack 1 that allows you to restrict access to attributes that should not be accessible to all users. For example, you may have created an attribute to store user Social Security Number information. Even though this attribute may be populated for every user object in the directory, you will likely wish to restrict access to that specific attribute to only a subset of your personnel. The confidentiality bit is set in the searchFlags attribute by setting bit 8 (128) to a value of 1. Once you've done this, the Read permission on that attribute will not be sufficient to access the information stored in it; you'll need to grant the Control_Access permission to allow a user or group to view the contents of the attribute using LDP. (Unfortunately, the current version of dsacls does not allow you to set the Control_Access permission via the command line.)

While the confidentiality bit is a great improvement in Active Directory security, it does have two significant limitations. The first is that there is not a supported mechanism to set the confidentiality bit on any attributes that are a part of the base schema; you can, however, obtain a list of these attributes by searching for attributes that have bit 4 (16 in decimal) set to 1.

There is an unsupported mechanism for setting the confidentiality bit on a base attribute, by modifying the appropriate searchFlags value on a domain controller, that has not yet been upgraded to Windows Server 2003 SP1. Be aware that this is unsupported, however, and that Microsoft will likely not offer you any technical support for any issues that arise as a result. This solution is more fully documented in Chapter 11 of Active Directory, Third Edition, by Joe Richards et al. (O'Reilly).


Second, there are certain default permissions included with Active Directory that will still allow certain security principals to access the information stored in confidential attributes; these groups include the Administrators group, Account Operators, and any user or group who has the Full Control permission on an object containing a confidential attribute.

See Also

Recipe 4.15 for more on modifying a bitwise attribute and How the Active Directory Schema Works: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/e3525d00-a746-4466-bb87-140acb44a603.mspx



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows 

stchizen
stchizen 5 years ago #
Thank you for this script I found it useful, however that was an error I had to correct to get it to work. I thought I would reply in case others come across it. If you copy / paste the script line 2 needs to be commented ' - Easy enough More importantly lines 12 and 13 read: set objAttribute = GetObject("LDAP://" & strAttribute) intBitsOrig = objAttribute.Get(strAttr) They should read: set objObject = GetObject("LDAP://" & strAttribute) intBitsOrig = objObject.Get(strAttr)