Re: LDAP Security

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Remember though that if you have clients that are domain users on your
network, limiting port 389 access may be a problem. If however they just
use their AD account for something like logging in to a website, then there
is no reason whatsoever that they should have port 389 access to your
directory. It really depends on how these users use AD.

Note that if you go with a network-based approach, you need to limit access
to the GC as well (3268).

So overall, just make sure you verify that your final plan will have no
unintended consequences. You obviously have a few options.

Best of luck!

Joe K.

"Scott" <Scott@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:18104409-372B-4A0E-A8CE-D7C13FA45DBA@xxxxxxxxxxxxxxxx
> Ok, I can now see the issue. I need to limit port 389 access. This will
> enable me to allow only the desired LDAP queries.
>
> Thanks everyone for your help.
>
> Scott
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> My instinct tells me that Paul would agree with me, but that you need to
>> be
>> very careful in terms of how you change the default permissions so as to
>> prevent unexpected consequences. That seems to be the gist of his post,
>> which I also agree with.
>>
>> I do know that this kind of thing can be done though as I've heard about
>> some deployments done like this for large US school districts where there
>> were requirements to prevent certain users from seeing other users for
>> privacy reasons.
>>
>> The main thing to do here is planning on what exactly you want users to
>> be
>> able to see and not see. Then, you can probably find an AD expert who
>> can
>> consult with you to set up the ACLs appropriately to achieve the affect
>> you
>> want without breaking something else.
>>
>> The thing I don't totally understand is how you end up in a situation
>> where
>> you have users that you don't really trust that have accounts in your AD
>> and
>> are attached to your network in such a way as to have port 389 access to
>> AD.
>> However, everyone does business different ways...
>>
>> Joe K.
>>
>>
>> "Scott" <Scott@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:8182A0E3-DED1-420C-AEF6-4C44F9654408@xxxxxxxxxxxxxxxx
>> > Hello,
>> >
>> > Changing the ACLs on the objects in question was not recommended by
>> > Paul
>> > Williams [MVP] (see earlier post). So, I'm at a loss on what to do.
>> >
>> > Please feel free to add any input you may have.
>> >
>> > Thanks,
>> > Scott
>> >
>>
>>
>>


.

Relevant Pages

  • RE: Printing from Win9x clients stops
    ... > and make sure this software does not interfere with SBS Server. ... > clients, please disable it and try again. ... Create a local printer and redirect the port to the network server. ...
    (microsoft.public.windows.server.sbs)
  • RE: SBS 2003, ISA 2004
    ... ISA and IIS try listening on these two ports. ... by default the Web Proxy is listening on port 8080 ... of the local network adapter. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: ERS 8600, simple setup, IP, VLANs, etc.
    ... management port is just used to hang an IP address to. ... associated with an interface, such as a VLAN. ... fairly functionally homogenous network), but something that is ... or OS virtuallization - except that networks have been doing this kind of ...
    (comp.dcom.sys.nortel)
  • network slowness/freez-up since update 10/11
    ... network problems: first the network is slow (even within a few ... network - but not the rest of the system - just locks up (can't ping ... OHCI version 1.0, legacy support ... <Parallel port bus> on ppc0 ...
    (freebsd-current)
  • network slowness/freez-up since update 10/11
    ... network problems: first the network is slow (even within a few ... network - but not the rest of the system - just locks up (can't ping ... OHCI version 1.0, legacy support ... <Parallel port bus> on ppc0 ...
    (freebsd-current)