MSNBC/BugNet: Windows 2000's Active Directory not enforcing rightsFeb 20, 2000, 18:52 (26 Talkback[s])
"The Active Directory security hole, as outlined in the Novell report, allows the administrator of department A to control access to resources in department B even though administrator A has been explicitly denied the right to modify the ownership of that object. This allows administrators to take ownership and modify permissions, and thereby gain access to sensitive data.
By following the steps in the Novell report, BugNet was able to duplicate Novell's findings. Even though the owner of the OU can explicitly deny any privileges to the administrator, including denying ownership, users from the administrative group can still get in, change ownership, and grant themselves permissions.
To further inflame the problem, if an administrator inappropriately takes ownership of a network resource, the legitimate OU owner is not immediately notified. The OU owner could eventually find out, but only after logging in and seeing that the object's ownership has changed. By the time someone gets around to this, the damage might have already been done and the perpetrator could have already left the company. Our default installation of Windows 2000 Advanced Server did not track ownership changes in the Windows 2000 Event Viewer, meaning that there is no way for a network manager to police these types of changes except to touch every object on the network with the administration tool."