Re: LDAP Security

Tech-Archive recommends: Fix windows errors by optimizing your registry

This isn't going to be that easy. There are other protocols going on such
as Kerberos and the Global catalog. Then if users need to change there
password LDAP needs to run over port 636, etc...

Are you looking to provide untrusted users access to your system?

Check out the client ports
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q179/4/42.asp&NoWebContent=1

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.

"Scott" <Scott@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:18104409-372B-4A0E-A8CE-D7C13FA45DBA@xxxxxxxxxxxxxxxx
> Ok, I can now see the issue. I need to limit port 389 access. This will
> enable me to allow only the desired LDAP queries.
>
> Thanks everyone for your help.
>
> Scott
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> My instinct tells me that Paul would agree with me, but that you need to
>> be
>> very careful in terms of how you change the default permissions so as to
>> prevent unexpected consequences. That seems to be the gist of his post,
>> which I also agree with.
>>
>> I do know that this kind of thing can be done though as I've heard about
>> some deployments done like this for large US school districts where there
>> were requirements to prevent certain users from seeing other users for
>> privacy reasons.
>>
>> The main thing to do here is planning on what exactly you want users to
>> be
>> able to see and not see. Then, you can probably find an AD expert who
>> can
>> consult with you to set up the ACLs appropriately to achieve the affect
>> you
>> want without breaking something else.
>>
>> The thing I don't totally understand is how you end up in a situation
>> where
>> you have users that you don't really trust that have accounts in your AD
>> and
>> are attached to your network in such a way as to have port 389 access to
>> AD.
>> However, everyone does business different ways...
>>
>> Joe K.
>>
>>
>> "Scott" <Scott@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:8182A0E3-DED1-420C-AEF6-4C44F9654408@xxxxxxxxxxxxxxxx
>> > Hello,
>> >
>> > Changing the ACLs on the objects in question was not recommended by
>> > Paul
>> > Williams [MVP] (see earlier post). So, I'm at a loss on what to do.
>> >
>> > Please feel free to add any input you may have.
>> >
>> > Thanks,
>> > Scott
>> >
>>
>>
>>


.

Relevant Pages

  • Re: LDAP Security
    ... network, limiting port 389 access may be a problem. ... >> My instinct tells me that Paul would agree with me, ... >>> Scott ...
    (microsoft.public.windows.server.active_directory)
  • RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
    ... > a normal port for SQL server *until* MSDE came out. ... Paul -- what ever happened to the first rule (maybe its the second ... Perhaps some of the .edu admins need to first ... design concepts and security. ...
    (Full-Disclosure)
  • Re: Help in accessing GPIOs in an i.MX21 (ADS21 board)
    ... how is GPIOHANDLE declared by the unmanaged code? ... Paul G. Tobey wrote: ... I sent as Port I still see that the value ... UINT32 signalMask, UINT32 stateMask) ...
    (microsoft.public.dotnet.framework.compactframework)
  • Re: Help in accessing GPIOs in an i.MX21 (ADS21 board)
    ... If you've given us the correct unmanaged code declaration ... GPIOHANDLE is declared in the unmanaged code as typedef ... Paul G. Tobey wrote: ... I sent as Port I still see that the ...
    (microsoft.public.dotnet.framework.compactframework)
  • Re: Help in accessing GPIOs in an i.MX21 (ADS21 board)
    ... Paul G. Tobey wrote: ... I sent as Port I still see that the value ... For the method INT8 DDKGetGpioSignalState(GPIOHANDLE gpiohandle, ... UINT32 signalMask, UINT32 stateMask) ...
    (microsoft.public.dotnet.framework.compactframework)