2.11.3 System Configuration Security

The configuration data and parameters for the Active Directory system are stored in the directory service itself. The configuration data is retrieved and manipulated by using the same protocols that are used to manipulate any other data that is stored in the directory. In particular, much of it is stored in the form of directory objects that are accessible via LDAP. As such, this configuration data is protected by the access checks that are enforced by these protocols. Therefore, the security descriptors of the directory object on which the settings are stored are vital to protecting the system configuration.

This also means that the security of these configuration settings is dependent on the system's ability to secure the messages as they travel over the network, as described in section 2.11.2. At a minimum, clients would use one of the mechanisms documented there to ensure message integrity. Failure to do so could permit an attacker to perform an elevation-of-privilege attack by intercepting and modifying a request message sent by the client to perform an action of the attacker's choosing (using the client's privileges).