Solved

Turning off LDAP Anonymous Directory Access Permitted on Windows Server 2013 R2

Posted on 2016-10-31
6
43 Views
Last Modified: 2016-11-14
How do you turn off LDAP anonymous on Windows Server 2013 R2 Domain Controller?
0
Comment
Question by:rjordanbots
  • 3
  • 2
6 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41867709
That is the default configuration. Anonymous access has to be explicitly granted, and usually there is no good reason to do so.
0
 

Author Comment

by:rjordanbots
ID: 41867718
Sorry, I meant Windows Server 2012 R2
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41867737
Yeah. Since there is no 2013, I knew what you meant. Same answer.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:rjordanbots
ID: 41868697
We had a security company come in and do a network assessment, this was one of the issues on the assessment that my boss wanted me to fix. I realize it is a default config. He did a ldapsearch to anonymously connect to the ldap service and pulled the Directory Information tree. I'm just not sure how to go about and turn this anonymous access off though. Or why do you say there isn't a good reason to do so? This is not for the DSE Root account.
0
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41870742
If someone enabled Anonymous LDAP binds on your AD in the past, it can be disabled by opening ADSIEdit and connecting to the configuration partition, then navigate to Services>Windows NT>Directory Service - Right click and select properties. Go to the attributes tab and check the dsHeuristics attribute. If it is set to 2, anonymous access to LDAP is enabled. Set it to 0 and that will disable it. Note, though, that despite the fact that Anonymous users can perform an LDAP bind if this is set to allow it, they are still limited to actions that are allowed to the anonymous user group.
0
 

Author Closing Comment

by:rjordanbots
ID: 41886893
Thanks, Adam, this fixed the solution, appreciate it.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now