Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Turning off LDAP Anonymous Directory Access Permitted on Windows Server 2013 R2

Posted on 2016-10-31
6
Medium Priority
?
488 Views
Last Modified: 2016-11-14
How do you turn off LDAP anonymous on Windows Server 2013 R2 Domain Controller?
0
Comment
Question by:rjordanbots
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 41867709
That is the default configuration. Anonymous access has to be explicitly granted, and usually there is no good reason to do so.
0
 

Author Comment

by:rjordanbots
ID: 41867718
Sorry, I meant Windows Server 2012 R2
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 41867737
Yeah. Since there is no 2013, I knew what you meant. Same answer.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:rjordanbots
ID: 41868697
We had a security company come in and do a network assessment, this was one of the issues on the assessment that my boss wanted me to fix. I realize it is a default config. He did a ldapsearch to anonymously connect to the ldap service and pulled the Directory Information tree. I'm just not sure how to go about and turn this anonymous access off though. Or why do you say there isn't a good reason to do so? This is not for the DSE Root account.
0
 
LVL 42

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 41870742
If someone enabled Anonymous LDAP binds on your AD in the past, it can be disabled by opening ADSIEdit and connecting to the configuration partition, then navigate to Services>Windows NT>Directory Service - Right click and select properties. Go to the attributes tab and check the dsHeuristics attribute. If it is set to 2, anonymous access to LDAP is enabled. Set it to 0 and that will disable it. Note, though, that despite the fact that Anonymous users can perform an LDAP bind if this is set to allow it, they are still limited to actions that are allowed to the anonymous user group.
0
 

Author Closing Comment

by:rjordanbots
ID: 41886893
Thanks, Adam, this fixed the solution, appreciate it.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Let's recap what we learned from yesterday's Skyport Systems webinar.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question