Active Directory quotas are limits on the number of objects that a security principal (that has been delegated the Create Child Objects or Delete Child Objects permission) can own and create. You can use quotas to mitigate the risk of a denial-of-service attack against a directory service. For example, you can restrict the owner of the Accounting organizational unit (OU) in your organization to creating no more than 100 new user accounts.
If a security principal that has been delegated the permission to create objects in the directory is compromised and there are no quota limitations in place, a rogue attack on the directory service can create objects until the disk that houses the NTDIS.dit file on the domain controller runs out of space. By implementing quotas, you can limit the number of objects that a security principal can create in the directory, which helps insulate the directory from a denial-of-service attack through the creation of a very large number of objects.
Example
To set a quota limit of 10 on the security principal user object Mohit Singh in the IT OU of the Koenig.com directory partition, use the following command:
dsadd quota -part "dc=Koenig,dc=com" -qlimit 10 -acct "CN=Mohit Singh,OU=IT,DC=koenig,DC=com"
At the completion of this command, the user Mohit is limited to creating 10 objects in the Koenig.com directory partition.
Quota container
Quota objects are stored in the NTDS Quotas container under the domain, application, and configuration naming contexts. To view the NTDS Quotas container in the Active Directory Users and Computers snap-in, you must enable Advanced Features on the View menu. The NTDS Quotas container is of the object class msDS-QuotaContainer. There are two special attributes that you can set on the NTDS Quotas container:
- msDS-DefaultQuota
- msDS-TombstoneQuotaFactor
Values that you can assign to these attributes are described in the following sections: Default quotas and Tombstone objects.
Default quotas
You can set a default quota for every security principal in a given partition. To set a default quota for all security principals in a partition, you must modify the msDS-DefaultQuota attribute of the NTDS Quotas container.
By default, the msDS-DefaultQuota is not set. If there is no value for this attribute or if the attribute has a value of -1, security principals in the given partition (that have been delegated the Create and Delete Child permissions) can create and delete an unlimited amount of objects in the partition for which they have these permissions.
Tombstone objects
Tombstone objects, which are created when you delete an object from a partition, count toward a security principal’s quota limit. You can define the percentage by which tombstone objects count against a security principal’s quota limit by modifying the NTDS Quotas container’s msDS-TombstoneQuotaFactor attribute.
The msDS-TombstoneQuotaFactor attribute is the percentage factor (a value between 1 and 100) by which tombstone objects count against a security principal’s quota limit. By default, the value is set to 100. For example, if you leave the default value unchanged and a security principal has a quota limit of two, the user can create one object and delete another object, which creates a tombstone object. If the user creates an object and then deletes the same object, the quota limit is only reduced by one. By contrast, if you set the value of this attribute to 50, the user can create one new object and delete two objects, because creating a tombstone object only counts as half the value of creating one “live” object.
No comments:
Post a Comment