I'm looking into this: http://technet.microsoft.com/en-us/library/cc778124(v=ws.10).aspx
Which I wasn't aware of before. Looks like what I was interested in, but then I read this: "This setting does not have any impact on ldap_simple_bind or ldap_simple_bind_s. No Microsoft LDAP clients that are shipped with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to talk to a domain controller." So for example if you use LDP to do a simple bind, it will use ldap_simple_bind_s. So what is to stop a 3rd party application from sending a request like that? Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.com From: "Michael B. Smith" <mich...@smithcons.com> To: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com> Date: 04/09/2013 09:58 AM Subject: RE: AD Simple LDAP authentication question +1 My question was directed more to the fact that any "Authenticated User" has pretty much full read-access to AD anyway. -----Original Message----- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Monday, April 8, 2013 7:14 PM To: NT System Admin Issues Subject: Re: AD Simple LDAP authentication question On Mon, Apr 8, 2013 at 4:03 PM, Christopher Bodnar <christopher_bod...@glic.com> wrote: > I know that AD supports both Simple and SASL methods for LDAP binds: > > http://msdn.microsoft.com/en-us/library/cc223499.aspx > > What I was surprised is that there doesn't seem to be a way to disable > the Simple method. It supports SSL/TLS but does not require it. Is that correct? I don't really know, but I do know that our Windows 2008 R2 domain controllers log the event below once a day. I know what's causing it and haven't cared enough to do something about it. The link takes you to a KB article which tells you how to require *signing*. It talks a lot about simple binds but doesn't explicitly say that requiring signing also causes it to reject simple binds, but seems to imply it pretty strongly. Source: ActiveDirectory_DomainService Event ID: 2886 --------------------------------------------------------------------- The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server. Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds. For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923. You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher. ---------------------------------------------------------------------- FWIW, YMMV, HTH, HAND, AT&T. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
<<image/jpeg>>