Active Directory Domain Services (AD DS) and Active Directory Certificate Services (AD CS) use the Extensible Storage Engine (ESE) as its database. Now Microsoft has open sourced the code for its database engine available to all on GitHub.
About the Extensible Storage Engine
The Extensible Storage Engine (ESE) is an embedded / Indexed Sequential Access Method (ISAM)-based database engine, that provides rudimentary table and indexed access. However the library provides many other strongly layered and thus reusable sub-facilities as well: A synchronization and locking library, a data-structures / STL-like library, an Operating System (OS)-abstraction layer, and a Cache Manager.
First shipping in Windows NT 3.51 and shortly thereafter in Exchange 4.0, and rewritten twice in the 90s, and heavily updated over the subsequent two decades after that, it remains a core Microsoft asset to this day.
What this means
This change impacts several groups of people:
For developers using ESE, Microsoft already offers ESENT Managed Interop to provide managed access to esent.dll, the embeddable database engine native to Windows. The availability of the code now enables them to check their assumptions and plan work accordingly.
From a security point of view, vulnerabilities in the ESE code may now be discovered by researchers. These vulnerabilities will be addressed through Microsoft’s Windows Updates.
For admins, the idea of open sourcing the software they use should give them the idea that security in Active Directory is not about security through obscurity.
I feel open sourcing core components of widely used technology is always a good thing.
Vendors now get a clearer understanding of what happens under the hood., We might see new advanced functionality in Active Directory backup and restore (looking at you, Veeam) and the ability of blocking certain Active Directory requests, resulting in a proactive Layer 7 protection solution (kind of what Stealthbits currently offers…).