|
Anonymous
LDAP operations in Windows 2003 AD?
Background
By
default, anonymous LDAP operations,
except rootDSE searches and binds, are
not permitted on Windows 2003 domain
controllers. This means that when trying
to perform unauthenticated search in
Active Directory, you can query for
attributes of the RootDSE object only –
any other query will result in domain
controller requesting authenticated bind
to LDAP and refusing to your query.
Actually
this is new behavior compared to Windows
2000 domain controllers which allowed
anonymous operations and the query
results were based only on the
permissions of the objects.
"So what
is it good for?" you might ask yourself.
Well, one of the reasons is minimizing
the impact of potential denial of
service (DoS) attacks against AD.
Consider a malicious application
performing an anonymous LDAP query
against domain controller.
Theoretically, by crafting a very
complicated LDAP filter with a "Sub"
scope, an attacker could overload the
LDAP server which would result in
significant degradation in domain
controller performance and even total
denial of service.
Why you
might want to enable anonymous binds?
Usually this is desired when you need to
provide an easy access to a subset of
information stored in AD to 3rd party
applications that are not capable of
authenticating to AD or the information
is intended to be in public domain from
the beginning and you are storing it in
AD. The scenarios are infinite, but
before enabling anonymous operations
make sure that you truly understand the
implications of this action – the change
(though reversible) does increase the
security risks to your environment.
|
