Solved

Turning off LDAP Anonymous Directory Access Permitted on Windows Server 2013 R2

Posted on 2016-10-31
6
28 Views
Last Modified: 2016-11-14
How do you turn off LDAP anonymous on Windows Server 2013 R2 Domain Controller?
0
Comment
Question by:rjordanbots
  • 3
  • 2
6 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41867709
That is the default configuration. Anonymous access has to be explicitly granted, and usually there is no good reason to do so.
0
 

Author Comment

by:rjordanbots
ID: 41867718
Sorry, I meant Windows Server 2012 R2
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41867737
Yeah. Since there is no 2013, I knew what you meant. Same answer.
0
 

Author Comment

by:rjordanbots
ID: 41868697
We had a security company come in and do a network assessment, this was one of the issues on the assessment that my boss wanted me to fix. I realize it is a default config. He did a ldapsearch to anonymously connect to the ldap service and pulled the Directory Information tree. I'm just not sure how to go about and turn this anonymous access off though. Or why do you say there isn't a good reason to do so? This is not for the DSE Root account.
0
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41870742
If someone enabled Anonymous LDAP binds on your AD in the past, it can be disabled by opening ADSIEdit and connecting to the configuration partition, then navigate to Services>Windows NT>Directory Service - Right click and select properties. Go to the attributes tab and check the dsHeuristics attribute. If it is set to 2, anonymous access to LDAP is enabled. Set it to 0 and that will disable it. Note, though, that despite the fact that Anonymous users can perform an LDAP bind if this is set to allow it, they are still limited to actions that are allowed to the anonymous user group.
0
 

Author Closing Comment

by:rjordanbots
ID: 41886893
Thanks, Adam, this fixed the solution, appreciate it.
0

Join & Write a Comment

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
The reason that corporations and businesses use Windows servers is because it supports custom modifications to adapt to the business and what it needs. Most individual users won’t need such powerful options. Here I’ll explain how you can enable Wind…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now