Home arrow Articles arrow TIP: Configuring the confidentiality bit on CAT-1 schema items
TIP: Configuring the confidentiality bit on CAT-1 schema items Print E-mail

In Windows Server 2003 Service Pack 1 Microsoft introduced a new setting for non-category 1 (base schema) objects and attributes – the confidentiality bit, otherwise known as Confidential Attributes. Summarised, you can set the seventh bit (decimal value 128) of the searchFlags attribute for an attributeSchema object that isn’t part of the base schema which will result in that attribute being considered confidential and therefore read access denied to all but those with both read property and control access permissions defined. This is a nice feature, and greatly simplifies the task of locking down the default access of authenticated users being able to read most attributes of objects, as it takes away the necessity to implement large amounts of deny ACEs in the directory. However, Microsoft have locked this down to, as already mentioned, non-category 1 attributes. This greatly reduces the use of this feature, but does protect many systems from their administrators –the last thing you want to do is configure displayName as confidential if you use Exchange, as you then won’t be able to see any of the names in the GAL. However, there is an unsupported action that will allow you to actually set the confidentiality bit on a base attribute.

Confidential attributes were introduced in Service Pack 1. If you try to set the seventh bit of searchFlags for a CAT-1 attribute on a server that is running SP1 you’ll get an error. However, Windows Server 2003 RTM and Windows 2000 Server doesn’t understand the seventh bit, therefore don’t have a restriction in place to stop you setting it on a CAT-1 attribute.  Therefore, you can configure CAT-1 attributes as confidential if you modify the appropriate attributeSchema object on a Schema Master running Windows 2000 or 2003 RTM. 

Further reading/ credit

Thanks goes to Joe Richards of www.joeware.net, author of O’Reilly Active Directory 3rd Edition (http://www.oreilly.com/catalog/actdir3/) for this tip. For more information on Permissions and some of the short-comings of the confidential attributes feature, refer to his book.

Document information

Author: Paul Williams
Written: 27-10-2006
Version: 2.0
Last updated: 25-07-2007
Last updated by: Paul Williams



Del.icio.us!Technorati!StumbleUpon!Furl!
 
< Prev   Next >