Re: Access Control to LDAP on AD?

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 10/22/05 

Date: Fri, 21 Oct 2005 23:02:47 -0700

Sounds like you have the right strategy, particularly as you do
want especially the developers to have awareness of quality
of their queries. 

-- 
Roger
<-> wrote in message news:upGpB1k1FHA.3124@TK2MSFTNGP12.phx.gbl...
> Hello,
>
> Thanks for the suggestions.  Basically, I'm finding my DC's occasionally 
> hanging LSASS at 99% and investigation has found that there are developers 
> using my AD for their security, but their LDAP queries are inefficient and 
> therefore causing the LSASS spike.  It was taking down one of our 
> workhorse DC's on a regular basis until it was isolated.  The problem is, 
> we can't just turn off access to LDAP, we have to see how we can prevent 
> this from happening.  I just found another one a week ago, not as severe. 
> I cranked up the LDAP logging and found out who it was, and asked them to 
> recode their query, but I can't stop him from running it, and it's still 
> happening every night when his script runs.
>
> I'm going to look into chaning the LDAP query timeouts or better yet, 
> recreate a new OU structure with access restrictions for object viewing, 
> and then all the developers will start coming out of the woodwork.
>
> Again, thanks for the advice.
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote 
> in message news:urJBNQB1FHA.2072@TK2MSFTNGP14.phx.gbl...
>> There are also query policies that are already in place that help 
>> mitigate DOS attacks via LDAP.  It is possible to tighten these up even 
>> further (limiting the number of query query threads, shortening time 
>> outs, etc.). My experience is that people are more likely to do things to 
>> increase their risk of DOS attack with these and decrease it (increasing 
>> maxPageSize and query timeouts comes to mind), but they can go either 
>> way.
>>
>> It may also be possible to severely limit the objects a normal user in 
>> the domain can find via a search.  The trick here is to make sure that it 
>> is not so tightened down that the user no longer functions.
>>
>> The original poster never explained their goal here, so it wasn't clear 
>> what the right answer should be.
>>
>> Joe K.
>>
>> "Alun Jones" <alun@texis.invalid> wrote in message 
>> news:NIedneASk79-q8jeRVn-vA@comcast.com...
>>> Denial of Service is always a possibility.  Consider someone simply 
>>> firing off connections - the classic SYN attack - to overload your LDAP 
>>> server. Yes, that will cause your LDAP server to become unreliable, in 
>>> the strictest sense that sometimes it will respond to requests, and 
>>> other times it will be unable to do so.
>>>
>>> As for "no ability to stop them", that's going rather far.  All ("all") 
>>> you have to do is monitor your network for suspicious behaviour, track 
>>> down the perpetrator, and then march over there with a couple of 
>>> security and HR personnel so that you can fire his arse for breaching 
>>> your corporate security policy.  You do have a corporate security 
>>> policy, don't you?  You do have an IDS in place to monitor rogue 
>>> traffic, yes?
>>>
>>> Alun.
>>> ~~~~
>>>
>>> <-> wrote in message news:O0HQAX$0FHA.1256@TK2MSFTNGP09.phx.gbl...
>>>> Apparently not.  So someone writing a rogue LDAP query can bring down 
>>>> and domain or enterprise with no ability to stop them.  Great.
>>>>
>>>> <-> wrote in message news:ue2Ppy00FHA.2924@TK2MSFTNGP15.phx.gbl...
>>>>> So, there's no solution?
>>>>>
>>>>>
>>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message 
>>>>> news:Odue6pU0FHA.2008@TK2MSFTNGP10.phx.gbl...
>>>>>>I believe you can not realistically do that as an account will at 
>>>>>>times
>>>>>> be issuing Ldap queries, behind the scenes, sometimes against
>>>>>> the GCs, just to function as a domain client.  Also, not all Ldap
>>>>>> queries are authenticated queries so if your objective is to
>>>>>> avoid a potential DoS from malicious queries they may try to
>>>>>> side-step your efforts using unauthenticated binds if they are
>>>>>> allowed to communicate with the ldap and gc ldap ports.
>>>>>>
>>>>>> -- 
>>>>>> Roger Abell
>>>>>> Microsoft MVP (Windows Server : Security)
>>>>>> MCDBA,  MCSE W2k3+W2k+Nt4
>>>>>> <-> wrote in message news:uL$IzaS0FHA.3188@TK2MSFTNGP14.phx.gbl...
>>>>>>> Is there a way to block certain user accounts from performing LDAP 
>>>>>>> queries on Active Directory?
>>>>>>>
>>>>>>> If anyone could let me know I would be most appreciative.
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>