Re: Disable LDAP anonymous win2003

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

I think I would go back and argue the detail with the auditors since
disabling anonymous bind to rootDSE would break the spec compliance of the
server and isn't possible. The important thing is that you cannot access
any real data in the directory anonymously with the default settings in 2003
(which is what you have now I believe) so the user will get an error if they
attempt to perform an anonymous search within any of the directory
partitions.

Sometimes auditors aren't completely up to speed on the finer points of
their recommendations and need clarifications. :)

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Pete" <Pete@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:13C86DEF-A765-4EEC-854C-6D99FD3A25DC@xxxxxxxxxxxxxxxx
Joe Thank you for your response.

Out auditors suggested that we turn off all anonymous bind to LDAP and in
order for me to say that we cannot turn off this setting I need to have
some
proof.


Thank You

"Joe Kaplan" wrote:

Anonymous rootDSE access is part of the LDAP V3 specification. There is
currently no way to disable that.

I also think this is used by DC locator, so this would break core parts
of
Windows if it was disabled.

Why is that a concern, anyway?

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Pete" <Pete@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A01B32CF-A570-4DB2-85A8-B94F4CB7902A@xxxxxxxxxxxxxxxx
Jorge thank you for your response, sorry for not wording my question
properly.

Is there a way to disable anonymous rootDse access.


Thank You Again,



"Jorge de Almeida Pinto [MVP - DS]" wrote:

anonymous acces is only enabled for the rootDse, not the rest of AD.
for
that you would need to enable anonymous access AND assign permissions
because the data is still protected by ACls

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services
#

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test ANY suggestion in a test environment before
implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Pete" <Pete@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7849F21D-26BC-4F33-AB9C-C519BCD8AA2B@xxxxxxxxxxxxxxxx
Hello ALL:
The dsHeuristics attribute value is not set under ADSIedit.msc but
according
to default win2003 behavior the anonymous users can still check the
attributes. Is there a way for me to disable this setting so
anonymous
user
will not get any info when they try to connect to AD via LDAP?

I found following articles on this issues, but no help in disabling
the
anonymous access to the attributes:
1.
http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm
2. http://support.microsoft.com/kb/326690/
3. http://list.nessus.org/pipermail/nessus/2007-November/017757.html


Thank You in advance for your help...

















.