|
Posted by Alun Jones on October 18, 2005, 10:55 am
Please log in for more thread options Denial of Service is always a possibility. Consider someone simply firing
off connections - the classic SYN attack - to overload your LDAP server.
Yes, that will cause your LDAP server to become unreliable, in the strictest
sense that sometimes it will respond to requests, and other times it will be
unable to do so.
As for "no ability to stop them", that's going rather far. All ("all") you
have to do is monitor your network for suspicious behaviour, track down the
perpetrator, and then march over there with a couple of security and HR
personnel so that you can fire his arse for breaching your corporate
security policy. You do have a corporate security policy, don't you? You
do have an IDS in place to monitor rogue traffic, yes?
Alun.
~~~~
> Apparently not. So someone writing a rogue LDAP query can bring down and
> domain or enterprise with no ability to stop them. Great.
>
>> So, there's no solution?
>>
>>
>>>I believe you can not realistically do that as an account will at times
>>> be issuing Ldap queries, behind the scenes, sometimes against
>>> the GCs, just to function as a domain client. Also, not all Ldap
>>> queries are authenticated queries so if your objective is to
>>> avoid a potential DoS from malicious queries they may try to
>>> side-step your efforts using unauthenticated binds if they are
>>> allowed to communicate with the ldap and gc ldap ports.
>>>
>>> --
>>> Roger Abell
>>> Microsoft MVP (Windows Server : Security)
>>> MCDBA, MCSE W2k3+W2k+Nt4
>>>> Is there a way to block certain user accounts from performing LDAP
>>>> queries on Active Directory?
>>>>
>>>> If anyone could let me know I would be most appreciative.
>>>>
>>>
>>>
>>
>>
>
>
| 
XML Sitemap