Storage of a private "octet string" in Active Directory; what is safe by default?

Question

Storage of a private "octet string" in Active Directory; what is safe by default?

I basically store the private key (Hash) in any of the OctetString attributes in Active Directory.

My question is: which attribute is safe by default and it makes sense to store personal data there? This value should be considered like a password, in which even administrators should not have access (if possible), like the current AD password.

Here is the beginning of the list of attributes that are enabled by default in a Windows 2008R2 + Exchange 2010 domain.

alt text

Update:

Does anyone know the Octet String attribute, which by default does not grant read permission to all domain users? I don’t want to publicly store my hash and allow someone to build a rainbow table based on hashes.

+3

security windows-server-2008 active-directory acl ldap

CHI Coder 007 16 . '10 5:59

3

, OctetString , DirectoryString. , , . , , .

, unicodePwd, . , , , , .

+1

Kirill Kovalenko 23 . '10 13:50

AD, Aux Octet String . (I.e. . destinationIndicator. SunOne eDirectory .)

, .

0

geoffc 19 . '10 12:32

CHI Coder 007 · Accepted Answer · 2010-09-24T02:27:39+0000

, ... :

Active Directory , Authenticated Users . , .

, Windows 2003 SP1 CONFIDENTIAL. searchFlags . SearchFlags , . . 1 , . 128 (7- ) .

. ( "top", common-name). , , LDP systemFlags . 10- , .

, . , READ_PROPERTY, CONTROL_ACCESS .

CONTROL_ACCESS . , . . DSACLs, ADSL R2 LDP. ACL UI Editor .

Confidential , , 3

1. , "", "".

2.

3. Control_Access, .

. :

922836 Windows Server 2003 1 (SP1)

http://support.microsoft.com/default.aspx?scid=kb;EN-US;922836

Storage of a private "octet string" in Active Directory; what is safe by default?

More articles: