How can we improve Active Directory in Windows Server?

Less default permissions for Authenticated Users & Domain Users

As a defense-in-depth measure, it would be great to apply POLA to Authenticated Users & domain users group, so that no single user can enumerate more than they require. It would help in the Reconnaissance phase of an attack.

It seems like these are enough for an Authenticated User (1):
* Read gPLink
* Read gPOptions
* List Contents
* Read permissions
Read distinguishedName
Read cn

(1) https://community.spiceworks.com/topic/1457668-securing-our-ad-by-removing-authenticated-users-from-an-ou-breaks-group-policy

2 votes

zafer b shared this idea · Dec 19, 2020 · Flag idea as inappropriate… · Admin →

0 comments

An error occurred while saving the comment

Active Directory: Logon, Passwords

Searching…

No results.
Clear search results

Give feedback
- Active Directory 139 ideas
- Clustering 40 ideas
- Containers 49 ideas
- Core Server 116 ideas
- Diagnostics 18 ideas
- Essentials 24 ideas
- General Feedback 1,169 ideas
- IIS and Web Server Role 43 ideas
- Installation and Patching 99 ideas
- Linux Support 16 ideas
- Management Tools 1,053 ideas
- Networking 83 ideas
- Performance 6 ideas
- PowerShell 1,925 ideas
- Remote Desktop Services 0 ideas
- Security and Assurance 40 ideas
- Storage 169 ideas
- Virtualization 155 ideas
Knowledge Base
- User Voice How To FAQ1 article
- All articles
Windows Server

How can we improve Active Directory in Windows Server?

Less default permissions for Authenticated Users & Domain Users

0 comments

Feedback

Active Directory: Logon, Passwords

Feedback and Knowledge Base

Searching…

Give feedback

Knowledge Base

Windows Server

Your password has been reset

Less default permissions for Authenticated Users & Domain Users

We're glad you're here

0 comments

We're glad you're here

We're glad you're here

Active Directory: Logon, Passwords

Categories

Searching…

Give feedback

Knowledge Base

Windows Server

Your password has been reset