Re: Access Control to LDAP on AD?
From: Alun Jones (alun_at_texis.invalid)
Date: 10/18/05
- Previous message: Michel Gallant: "Re: Add Private Keys in System Store MY"
- Maybe in reply to: -: "Access Control to LDAP on AD?"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Access Control to LDAP on AD?"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: Access Control to LDAP on AD?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 18 Oct 2005 10:55:06 -0700
Denial of Service is always a possibility. Consider someone simply firing
off connections - the classic SYN attack - to overload your LDAP server.
Yes, that will cause your LDAP server to become unreliable, in the strictest
sense that sometimes it will respond to requests, and other times it will be
unable to do so.
As for "no ability to stop them", that's going rather far. All ("all") you
have to do is monitor your network for suspicious behaviour, track down the
perpetrator, and then march over there with a couple of security and HR
personnel so that you can fire his arse for breaching your corporate
security policy. You do have a corporate security policy, don't you? You
do have an IDS in place to monitor rogue traffic, yes?
Alun.
~~~~
<-> wrote in message news:O0HQAX$0FHA.1256@TK2MSFTNGP09.phx.gbl...
> Apparently not. So someone writing a rogue LDAP query can bring down and
> domain or enterprise with no ability to stop them. Great.
>
> <-> wrote in message news:ue2Ppy00FHA.2924@TK2MSFTNGP15.phx.gbl...
>> So, there's no solution?
>>
>>
>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
>> news:Odue6pU0FHA.2008@TK2MSFTNGP10.phx.gbl...
>>>I believe you can not realistically do that as an account will at times
>>> be issuing Ldap queries, behind the scenes, sometimes against
>>> the GCs, just to function as a domain client. Also, not all Ldap
>>> queries are authenticated queries so if your objective is to
>>> avoid a potential DoS from malicious queries they may try to
>>> side-step your efforts using unauthenticated binds if they are
>>> allowed to communicate with the ldap and gc ldap ports.
>>>
>>> --
>>> Roger Abell
>>> Microsoft MVP (Windows Server : Security)
>>> MCDBA, MCSE W2k3+W2k+Nt4
>>> <-> wrote in message news:uL$IzaS0FHA.3188@TK2MSFTNGP14.phx.gbl...
>>>> Is there a way to block certain user accounts from performing LDAP
>>>> queries on Active Directory?
>>>>
>>>> If anyone could let me know I would be most appreciative.
>>>>
>>>
>>>
>>
>>
>
>
- Previous message: Michel Gallant: "Re: Add Private Keys in System Store MY"
- Maybe in reply to: -: "Access Control to LDAP on AD?"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Access Control to LDAP on AD?"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: Access Control to LDAP on AD?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
