Solved

Turning off LDAP Anonymous Directory Access Permitted on Windows Server 2013 R2

Posted on 2016-10-31
6
264 Views
Last Modified: 2016-11-14
How do you turn off LDAP anonymous on Windows Server 2013 R2 Domain Controller?
0
Comment
Question by:rjordanbots
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 41867709
That is the default configuration. Anonymous access has to be explicitly granted, and usually there is no good reason to do so.
0
 

Author Comment

by:rjordanbots
ID: 41867718
Sorry, I meant Windows Server 2012 R2
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 41867737
Yeah. Since there is no 2013, I knew what you meant. Same answer.
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 

Author Comment

by:rjordanbots
ID: 41868697
We had a security company come in and do a network assessment, this was one of the issues on the assessment that my boss wanted me to fix. I realize it is a default config. He did a ldapsearch to anonymously connect to the ldap service and pulled the Directory Information tree. I'm just not sure how to go about and turn this anonymous access off though. Or why do you say there isn't a good reason to do so? This is not for the DSE Root account.
0
 
LVL 41

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41870742
If someone enabled Anonymous LDAP binds on your AD in the past, it can be disabled by opening ADSIEdit and connecting to the configuration partition, then navigate to Services>Windows NT>Directory Service - Right click and select properties. Go to the attributes tab and check the dsHeuristics attribute. If it is set to 2, anonymous access to LDAP is enabled. Set it to 0 and that will disable it. Note, though, that despite the fact that Anonymous users can perform an LDAP bind if this is set to allow it, they are still limited to actions that are allowed to the anonymous user group.
0
 

Author Closing Comment

by:rjordanbots
ID: 41886893
Thanks, Adam, this fixed the solution, appreciate it.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question