GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » Product Feedback » GFI MailEssentials Feedback » Excluding the 'Pre-Windows 2000 Compatible Access' group when counting users (Excluding the 'Pre-Windows 2000 Compatible Access' group when counting users)
Excluding the 'Pre-Windows 2000 Compatible Access' group when counting users [message #151763] Mon, 30 May 2022 15:09
dchege is currently offline  dchege
Messages: 1
Registered: May 2022
A customer running MailEssentials in Remote Active Directory Mode is looking to improve security in their Active Directory setup by removing the service account used in the MailEssentials Remote AD settings from the BuiltIn "Pre-Windows 2000 Compatible Access" group. Microsoft recommends that there should be no members in the Pre-Windows 2000 Compatible Access group.
However, this action results in the LDAP query used by MailEssentials to count users returning twice the number of licensed users, implying that the service account used in the MailEssentials Remote AD settings must be added to the Pre-Windows 2000 Compatible Access Active Directory group, thereby exposing the customers to a known vulnerability as documented in these articles:
https://www.lares.com/blog/detection-and-mitigation-advice-f or-printnightmare
https://www.semperis.com/blog/security-risks-pre-windows-200 0-compatibility-windows-2022/
Can you urgently tweak the MaiEssentials user count query so that it provides the correct count even if the queried user is not in the "Pre-Windows 2000 Compatible Access" group?
Previous Topic: White List for Content Filtering Rules
Next Topic: Rename features
Goto Forum:
  


Current Time: Sun Oct 01 23:42:44 CEST 2023

Total time taken to generate the page: 0.05563 seconds