Re: Access Control to LDAP on AD?

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 10/22/05

  • Next message: sunit: "CryptImportkey() returns an error NTE_BAD_VER"
    Date: Fri, 21 Oct 2005 23:02:47 -0700
    
    

    Sounds like you have the right strategy, particularly as you do
    want especially the developers to have awareness of quality
    of their queries.

    -- 
    Roger
    <-> wrote in message news:upGpB1k1FHA.3124@TK2MSFTNGP12.phx.gbl...
    > Hello,
    >
    > Thanks for the suggestions.  Basically, I'm finding my DC's occasionally 
    > hanging LSASS at 99% and investigation has found that there are developers 
    > using my AD for their security, but their LDAP queries are inefficient and 
    > therefore causing the LSASS spike.  It was taking down one of our 
    > workhorse DC's on a regular basis until it was isolated.  The problem is, 
    > we can't just turn off access to LDAP, we have to see how we can prevent 
    > this from happening.  I just found another one a week ago, not as severe. 
    > I cranked up the LDAP logging and found out who it was, and asked them to 
    > recode their query, but I can't stop him from running it, and it's still 
    > happening every night when his script runs.
    >
    > I'm going to look into chaning the LDAP query timeouts or better yet, 
    > recreate a new OU structure with access restrictions for object viewing, 
    > and then all the developers will start coming out of the woodwork.
    >
    > Again, thanks for the advice.
    >
    > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote 
    > in message news:urJBNQB1FHA.2072@TK2MSFTNGP14.phx.gbl...
    >> There are also query policies that are already in place that help 
    >> mitigate DOS attacks via LDAP.  It is possible to tighten these up even 
    >> further (limiting the number of query query threads, shortening time 
    >> outs, etc.). My experience is that people are more likely to do things to 
    >> increase their risk of DOS attack with these and decrease it (increasing 
    >> maxPageSize and query timeouts comes to mind), but they can go either 
    >> way.
    >>
    >> It may also be possible to severely limit the objects a normal user in 
    >> the domain can find via a search.  The trick here is to make sure that it 
    >> is not so tightened down that the user no longer functions.
    >>
    >> The original poster never explained their goal here, so it wasn't clear 
    >> what the right answer should be.
    >>
    >> Joe K.
    >>
    >> "Alun Jones" <alun@texis.invalid> wrote in message 
    >> news:NIedneASk79-q8jeRVn-vA@comcast.com...
    >>> Denial of Service is always a possibility.  Consider someone simply 
    >>> firing off connections - the classic SYN attack - to overload your LDAP 
    >>> server. Yes, that will cause your LDAP server to become unreliable, in 
    >>> the strictest sense that sometimes it will respond to requests, and 
    >>> other times it will be unable to do so.
    >>>
    >>> As for "no ability to stop them", that's going rather far.  All ("all") 
    >>> you have to do is monitor your network for suspicious behaviour, track 
    >>> down the perpetrator, and then march over there with a couple of 
    >>> security and HR personnel so that you can fire his arse for breaching 
    >>> your corporate security policy.  You do have a corporate security 
    >>> policy, don't you?  You do have an IDS in place to monitor rogue 
    >>> traffic, yes?
    >>>
    >>> Alun.
    >>> ~~~~
    >>>
    >>> <-> wrote in message news:O0HQAX$0FHA.1256@TK2MSFTNGP09.phx.gbl...
    >>>> Apparently not.  So someone writing a rogue LDAP query can bring down 
    >>>> and domain or enterprise with no ability to stop them.  Great.
    >>>>
    >>>> <-> wrote in message news:ue2Ppy00FHA.2924@TK2MSFTNGP15.phx.gbl...
    >>>>> So, there's no solution?
    >>>>>
    >>>>>
    >>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message 
    >>>>> news:Odue6pU0FHA.2008@TK2MSFTNGP10.phx.gbl...
    >>>>>>I believe you can not realistically do that as an account will at 
    >>>>>>times
    >>>>>> be issuing Ldap queries, behind the scenes, sometimes against
    >>>>>> the GCs, just to function as a domain client.  Also, not all Ldap
    >>>>>> queries are authenticated queries so if your objective is to
    >>>>>> avoid a potential DoS from malicious queries they may try to
    >>>>>> side-step your efforts using unauthenticated binds if they are
    >>>>>> allowed to communicate with the ldap and gc ldap ports.
    >>>>>>
    >>>>>> -- 
    >>>>>> Roger Abell
    >>>>>> Microsoft MVP (Windows Server : Security)
    >>>>>> MCDBA,  MCSE W2k3+W2k+Nt4
    >>>>>> <-> wrote in message news:uL$IzaS0FHA.3188@TK2MSFTNGP14.phx.gbl...
    >>>>>>> Is there a way to block certain user accounts from performing LDAP 
    >>>>>>> queries on Active Directory?
    >>>>>>>
    >>>>>>> If anyone could let me know I would be most appreciative.
    >>>>>>>
    >>>>>>
    >>>>>>
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>>
    >>>
    >>
    >>
    >
    > 
    

  • Next message: sunit: "CryptImportkey() returns an error NTE_BAD_VER"

    Relevant Pages

    • Re: Access Control to LDAP on AD?
      ... > hanging LSASS at 99% and investigation has found that there are developers ... > we can't just turn off access to LDAP, we have to see how we can prevent ... > recode their query, but I can't stop him from running it, and it's still ... >>> your corporate security policy. ...
      (microsoft.public.win2000.security)
    • Re: Access Control to LDAP on AD?
      ... > hanging LSASS at 99% and investigation has found that there are developers ... > we can't just turn off access to LDAP, we have to see how we can prevent ... > recode their query, but I can't stop him from running it, and it's still ... >>> your corporate security policy. ...
      (microsoft.public.windows.server.security)
    • Re: Access Control to LDAP on AD?
      ... > hanging LSASS at 99% and investigation has found that there are developers ... > we can't just turn off access to LDAP, we have to see how we can prevent ... > recode their query, but I can't stop him from running it, and it's still ... >>> your corporate security policy. ...
      (microsoft.public.security)
    • Re: Figured it out.
      ... LDAP CONNECTION ATTEMPT: SUCCESS ... specified Object Classes with the specified Userid Attribute. ... specified Object Classes with the specified Search Attributes. ... They seem to be telling me that my query returned nothing, ...
      (microsoft.public.exchange.admin)
    • Re: Use JSP as implementation language for components/modules?
      ... even if I have five components and package them all in one ... >> webapp, what about the users of the components? ... > query and USE final application. ... I mean other application developers. ...
      (comp.lang.java.programmer)