Restrict security principal AD object ownership
Windows Server 2003 Active Directory (AD) introduces a new feature that's commonly referred to as AD object quotas. What's this feature, and what's its security value?
Windows 2003 AD object quotas determine the number of objects that a particular security principal can own in an AD naming context (NC) or directory partition. These quotas can help prevent Denial of Service (DoS) attacks on AD domain controllers (DCs). Without them, an authorized user can bring down an AD server by creating AD objects until a DC runs out of storage space.
You can specify and administer AD object quotas for each AD NC and directory partition, but you can't define them for the schema NC. You can define a default quota for every AD NC and directory partition. However, if you don't explicitly set a default quota on an NC or partition, the default quota for that NC or partition will be unlimited.
The AD object quota logic counts any tombstone objects that a security principal owns as part of that principal's AD object quota consumption. Tombstone objects are temporary AD entries that point to deleted AD objects. AD maintains these objects to keep deleted object data consistent across different AD DCs. For each NC and directory partition, you can specify a tombstone quota factor that determines the weight given to a tombstone object in quota accounting. For example, if the tombstone quota factor for a given NC or directory partition is set to 25, then a tombstone object in the partition is counted as 0.25 of a regular AD object. Because the default tombstone quota factor for each partition is set to 100, regular AD objects and tombstone objects are weighted equally.
You can assign AD object quotas to every security principal, including users, computers, groups, and iNetOrgPerson objects. When multiple quotas apply to an individual security principal, the effective quota is the maximum of the quota assigned to that principal. For example, you can assign an individual quota to a user who also belongs to a security group that has quotas assigned to that group. Members of the Domain and Enterprise Administrator groups are exempt from quotas.
AD stores object quotas in the NTDS Quotas container of the AD NC or directory partition as objects of the msDS-QuotaControl class. To set an AD object quota of 10 for user Joe in the Accounting domain NC, type the following command:
DC=COM -acct Accounting\Joe -qlimit
10 -desc "Quota for Joe"
To modify the tombstone quota factor to be counted as 0.25 of a regular AD object in the object quota count for the Accounting domain NC, use the following command:
DC=COM -qtmbstnwt 25
To set the default object quota to 0 for the Accounting domain NC, use the following command:
DC=COM -qdefault 0
Only DCs running Windows 2003 can enforce AD object quotas. A DC enforces quotas only on originating directory operations and not on replicated operations. To effectively use AD object quotas in an AD domain directory partition, all DCs in that domain must be running Windows 2003. Likewise, to use AD object quotas in an AD configuration partition, all DCs in the forest must be running Windows 2003. In other words, all domains and the forest must be set to Windows 2003 functionality level 2. Be aware that the availability of the quota feature itself isn't related to any specific functionality level-the quota feature is available right away on any Windows 2003 DC. However, if Windows 2000 DCs are still present in the domain where you enforce quotas, users can still connect to one of these DCs to get around the quota restrictions. Win2K includes a limited version of the Windows 2003 AD quotas that lets you restrict how many computer accounts a particular user account can create. To access this functionality, you use the ms-DS-MachineAccountQuota attribute of the AD domain object. The restriction doesn't apply to members of the Domain Admins and Account Operators groups. Windows 2003 also supports the ms-DS-MachineAccountQuota attribute, and the default value is 10. To prevent a user from adding new computer accounts, you can set this attribute to 0. You can achieve a similar result by denying the Add workstations to domain user right from the Authenticated Users group. Both Windows 2003 and Win2K allow this right by default to the Authenticated Users group.