Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Turning off LDAP Anonymous Directory Access Permitted on Windows Server 2013 R2

Posted on 2016-10-31
6
81 Views
Last Modified: 2016-11-14
How do you turn off LDAP anonymous on Windows Server 2013 R2 Domain Controller?
0
Comment
Question by:rjordanbots
  • 3
  • 2
6 Comments
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 41867709
That is the default configuration. Anonymous access has to be explicitly granted, and usually there is no good reason to do so.
0
 

Author Comment

by:rjordanbots
ID: 41867718
Sorry, I meant Windows Server 2012 R2
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 41867737
Yeah. Since there is no 2013, I knew what you meant. Same answer.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:rjordanbots
ID: 41868697
We had a security company come in and do a network assessment, this was one of the issues on the assessment that my boss wanted me to fix. I realize it is a default config. He did a ldapsearch to anonymously connect to the ldap service and pulled the Directory Information tree. I'm just not sure how to go about and turn this anonymous access off though. Or why do you say there isn't a good reason to do so? This is not for the DSE Root account.
0
 
LVL 39

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41870742
If someone enabled Anonymous LDAP binds on your AD in the past, it can be disabled by opening ADSIEdit and connecting to the configuration partition, then navigate to Services>Windows NT>Directory Service - Right click and select properties. Go to the attributes tab and check the dsHeuristics attribute. If it is set to 2, anonymous access to LDAP is enabled. Set it to 0 and that will disable it. Note, though, that despite the fact that Anonymous users can perform an LDAP bind if this is set to allow it, they are still limited to actions that are allowed to the anonymous user group.
0
 

Author Closing Comment

by:rjordanbots
ID: 41886893
Thanks, Adam, this fixed the solution, appreciate it.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question