Confidential attributes – Windows 2008 follow-up

My post about confidential attributes is one of most popular on this blog. So far it had 2950 views. By the way, most popular posts are about drink attribute in AD (4118 views, taking under consideration subject of this post it is not surprising ) and my notes about extending schema in AD (5523 views).

So it looks like most or readers of this blog are extending the schema, then drinking something (is it related to results of schema extension operation ?? πŸ™‚ ) and when they are under influence of some liquid substances they are trying to cover something in AD. Pretty nice combination … :).

Because of that I've decided to give this topic some update with respect to new things in Windows 2008. Nothing very new in schema extension or drink attribute so it has to be something related to confidential attributes πŸ™‚

OK, there is nothing really new with confidential attribute itself in Windows 2008. It is being managed and configured in exactly the same way as it was previously so You can still use information from my previous coverage of this topic. However we have in Windows 2008 two new elements which are affecting way in which You want to use this feature. These are:

  • Read Only Domain Controller (RODC)
  • Auditing of attribute changes.

Read Only Domain Controller

RODC is a DC which is holding read only replica of directory data and is configured in such way as we are considering this host as *unsafe* for some reason. Maybe it is in un-secure location or is deployed in DMZ. The point is that we might not necessary want to replicate sensitive data to such DC.

RODC provides You with such capability through Filtered Attribute Set (FAS). FAS is set of attributes which are not being replicated to RODCs. In addition attributes from these set are being stripped from IFM media created for RODCs promotion.

Attribute assignment to FAS is being controlled through searchFlags attribute value on this attribute schema definition in schema. Using example from previous post and attribute lbUserPesel. It is marked as confidential, not indexed so it search flags has value 64 (0x40):

C:\Temp>adfind -b CN=lb-UserPesel,CN=Schema,CN=Configuration,DC=w2k,DC=pl
-s base -flagdc searchFlags

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: LHFDC1.w2k.pl:389
Directory: Windows Longhorn

dn:CN=lb-UserPesel,CN=Schema,CN=Configuration,DC=w2k,DC=pl
>searchFlags: 128 [CONFIDENTIAL(128)]

Membership in FAS is being controlled by bit in this value ( hex 0x200 or decimal 512). So to make our attribute confidential and member of FAS we have to set searchFlags to 0x280 in hex or 640 in decimal.

C:\Temp>adfind -b CN=lb-UserPesel,CN=Schema,CN=Configuration,DC=w2k,DC=pl
-s base -flagdc searchFlags

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: LHFDC1.w2k.pl:389
Directory: Windows Longhorn

dn:CN=lb-UserPesel,CN=Schema,CN=Configuration,DC=w2k,DC=pl
>searchFlags: 640 [CONFIDENTIAL(128);EXCL_RODC_PAS(512)]

(In this result FAS is still mentioned as PAS – this was changed in RTM).

After such change our confidential attribute will not be replicated to RODCs. If it was already replicated it will be removed from RODCs database after replication.

One advice which was expressed by Jorge during his session on last DEC. If You are planning RODC deployment in environment it is nice to think about what to include in FAS before actual RODC deployment. This will prevent these attributes from replication during promotion of DC and later it will not require removal of these values from RODC database.

 

Auditing of attribute value changes

Windows 2008 introduces new auditing capabilities which stores in auditing data information about values of attributes being changed in event log. For each attribute we will see in event log information about old and new value of attribute, related to each other with correlation ID value. This might expose confidential data to persons who has access to Security log. Let see what we will see in Event log when we will change confidential attribute using ADMOD.EXE:

admod -b "CN=Joe Doe,OU=SensitiveDataUsers,DC=w2k,DC=pl" lbUserPesel::123456789

In Security log we will see three new entries:

In entries with ID 5136 we will see following information (I've stripped some information to make it more readable):

 

(…)
Object:
    DN:    CN=Joe Doe,OU=SensitiveDataUsers,DC=w2k,DC=pl
    GUID:    CN=Joe Doe,OU=SensitiveDataUsers,DC=w2k,DC=pl
    Class:    user
Attribute:
    LDAP Display Name:    lbUserPesel
    Syntax (OID):    2.5.5.4
    Value:    123456789
Operation:
    Type:    Value Deleted
    Correlation ID:    {baa43f87-336d-4d83-a4fb-5aa397bc23b9}
(…)
==========================================================
Object:
    DN:    CN=Joe Doe,OU=SensitiveDataUsers,DC=w2k,DC=pl
    GUID:    CN=Joe Doe,OU=SensitiveDataUsers,DC=w2k,DC=pl
    Class:    user
Attribute:
    LDAP Display Name:    lbUserPesel
    Syntax (OID):    2.5.5.4
    Value:    1234567890
Operation:
    Type:    Value Added
    Correlation ID:    {baa43f87-336d-4d83-a4fb-5aa397bc23b9}
(…)

 

So as you can see our confidential attribute values were stored in event log entry and are now accessible to anyone who has access to these data or event log entries gathered in some management system.

In Windows 2008 we have a way to hide attribute for being audited, also through searchFlags attribute bit – this time it is Hex 0x100 or 256 decimal. So to make our attribute confidential, FAS member and excluded from auditing we have to set its searchFlags value to 896 or 0x380 in hex:

 

adfind -b CN=lb-UserPesel,CN=Schema,CN=Configuration,DC=w2k,DC=pl -s base -flagdc searchFlags

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: LHFDC1.w2k.pl:389
Directory: Windows Longhorn

dn:CN=lb-UserPesel,CN=Schema,CN=Configuration,DC=w2k,DC=pl
>searchFlags: 896 [CONFIDENTIAL(128);EXCL_RODC_PAS(512);UNKNOWN_FLAGS(256)]

 

When now we will make a change to our attribute we will see only event with ID 4662 and any of these 5136 events.

Our confidential attribute will not be stored right now in auditing data.

And that basically it about how to protect our confidential attributes when Windows 2008 will be deployed in our network with all new things like RODC and new auditing.