Pre-Windows 2000 Compatible Access Group permission vulnerability

Windows NT was notorious for the amount of information available to hackers and
penetration teams as configured out of the box. It was possible for a guest to
get a list of shares, the list of users, groups, ad nausem. Microsoft released a
method to
restrict anonymous connections
. It appears Microsoft is repeating old
mistakes in the Active Directory realm. The Pre-Windows 2000
Compatible Access group
grants Everyone the same ability to browse
through the Active Directory, to read permissions on every attribute of every
object. OUCH! This is a little too much free information flow.

The default membership of Pre-Windows 2000 Compatible
Access group
includes the Everyone group. To tighten up the system you
need to remove the Everyone group from the Pre-Windows 2000
Compatible Access group

You need to test. Just like the Windows NT anonymous connections issues, you
may not be able to close the whole because of unique issues within your
enterprise. Certain down level clients may not function, particularly Win9x

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top