Pre-Windows 2000 Compatible Access Group permission vulnerability
Windows NT was notorious for the amount of information available to hackers and
penetration teams as configured out of the box. It was possible for a guest to
get a list of shares, the list of users, groups, ad nausem. Microsoft released a
restrict anonymous connections . It appears Microsoft is repeating old
mistakes in the Active Directory realm. The Pre-Windows 2000
Compatible Access group grants Everyone the same ability to browse
through the Active Directory, to read permissions on every attribute of every
object. OUCH! This is a little too much free information flow.
The default membership of Pre-Windows 2000 Compatible
Access group includes the Everyone group. To tighten up the system you
need to remove the Everyone group from the Pre-Windows 2000
Compatible Access group .
You need to test. Just like the Windows NT anonymous connections issues, you
may not be able to close the whole because of unique issues within your
enterprise. Certain down level clients may not function, particularly Win9x