I don't think it would take all that many clients if they used a threaded app that spawned a bunch of simultaneous sessions to different DCs. Heck, I've seen a single client cause the number of queries per second on a DC to go from 80 to ~1000 for a 30 minute span. Now this didn't cause the CPU to spike greatly, but it did cause other clients using that DC to get intermittent AD/LDAP errors.
As far as denying IPs, that was available in W2K, but it was removed (at least from ntdsutil) in W2K3. I was told that it wouldn't be supported anymore in W2K3 (I haven't tested to see if it works still). That would be unfortunate if it isn't supported. Robbie Allen > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gil > Kirkpatrick > Sent: Thursday, December 11, 2003 5:38 PM > To: '[EMAIL PROTECTED]' > Subject: RE: AD as a possible target of attack? RE: > [ActiveDir] Virus soft wareon DC > > The problem with the built-in security model is that in most > environments > its easy to get around it by using one of the various LocalSystem > escalations on the DC. All of a sudden the ACLs are > meaningless, and AD will > happily replicate the corrupted data for you. > > Its hard to do a system wide denial-of-service by flooding > the DCs with > queries (I assume this is what you were talking about) > because of the number > of clients you would have to bring to bear. It takes a lot of > clients to > generate enough traffic to kill a DC, and a lot more to kill > all the DCs in > the system. And if the clients are connected to the DCs via slower WAN > links, its probably impossible. > > You can disable anonymous queries (already done by default in > W2K3), and you > can configure IP addresses to deny connections from, but I > don't know of a > way to limit the number of LDAP queries per second. Sounds like a cool > feature. > > -gil > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Roger Seielstad > Sent: Thursday, December 11, 2003 2:36 PM > To: '[EMAIL PROTECTED]' > Subject: RE: AD as a possible target of attack? RE: > [ActiveDir] Virus soft > wareon DC > > > I'm not as worried about malicious, entry changing attacks > due to the built > in security model. Its cake and pie to do a denial of service > attack against > an LDAP system. Add to that a simple DNS query to find all > the DC's, and the > whole domain drops like a lead filled balloon. > > Is there a way to limit the number of LDAP queries per second > on a DC, at > least from a specific source address? > > Roger > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: GRILLENMEIER,GUIDO (HP-Germany,ex1) > > [mailto:[EMAIL PROTECTED] > > Sent: Thursday, December 11, 2003 4:14 PM > > To: [EMAIL PROTECTED] > > Subject: RE: AD as a possible target of attack? RE: > > [ActiveDir] Virus soft wareon DC > > > > > > I don't even think you have to restrict the AD-related virus > > issue to the > > file-system. > > > > Something that your AV tools won't help you with is a > > "virus", that simply > > runs malicious LDAP queries - i.e. changing all kinds of > attributes on > > objects in AD or even delete a whole lot of objects at > > once... Obviously > > this virus would only be harmful for users with appropriate > > permissions on > > the AD objects. > > > > Again, AD will ensure that these malicious changes are > > replicated to all DCs > > and you could end up with quite a disaster which is certainly > > not very easy > > to recover of. > > > > /Guido > > > > -----Original Message----- > > From: Tony Murray [mailto:[EMAIL PROTECTED] > > Sent: Donnerstag, 11. Dezember 2003 14:55 > > To: [EMAIL PROTECTED] > > Subject: Re: AD as a possible target of attack? RE: > [ActiveDir] Virus > > softwareon DC > > > > > DO scan your DCs and reconsider excluding things like the Sysvol > > > > I fully agree with you here, John. I have seen for myself > > how good FRS is > > at distributing viruses throughout the infrastructure in > > short period of > > time!! Some of the major AV vendors previously had products > > that caused > > problems when scanning SYSVOL, but the recent offerings have > > resolved this. > > Bottom line: there is no good reason not to include SYSVOL > > (as long as > > you've checked with your AV vendor first). > > > > Tony > > > > ---------- Original Message ---------------------------------- > > Wrom: NNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXU > > Reply-To: [EMAIL PROTECTED] > > Date: Wed, 10 Dec 2003 23:18:52 +0100 > > > > I totally agree with all the guys out there that urge you > to scan your > > DCs!!! I've been thinking about this issue for some time > and I've come > > to the conclusion that Active Directory would be THE IDEAL > > target for a virus > > attack. The robustness of AD replication makes it the ideal > > distribution > > mechanism for virusses. Hey ... distributing virusses by mail > > is ancient > > technology ;-). Why not use the intense integration of > > Exchange 2000+ and AD > > to transport a virus from Exchange to AD? > > > > No guys... I'm very serious! DO scan your DCs and > reconsider excluding > > things like the Sysvol because this is another possible > target for the > > sick minds out there that like to screw up enterprise > > environments! It's only a > > matter of time before the first AD virus is a fact of life we > > have to deal > > with! > > > > So go out and check (before you go to bed) whether or not > > dat-file updates > > are really succeeding ;-). > > > > Cheers! > > John > > > > > > -----Original Message----- > > Wrom: WLSZLKBRNVW > > To: [EMAIL PROTECTED] > > Sent: 10-12-2003 18:07 > > Subject: RE: [ActiveDir] Virus software on DC > > > > Sorry, I have to throw-in my two cents. I exclude the sysvol/sysvol > > folder and sub-folders, but run the real-time scanner on everything > > else. These two folders deal with replication and are too > volatile to > > play with. > > > > S > > > > ***************************************** > > Steve Shaff > > Active Directory / Exchange Administrator > > Corillian Corporation > > (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 > > > > > > -----Original Message----- > > Wrom: WCUFPEGAUTFJMVRESKPNKMBIPBARHDMNNS > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Burkes, Jeremy > > [contractor] > > Sent: Wednesday, December 10, 2003 8:52 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Virus software on DC > > > > Same here, never had any problems either. > > > > Jeremy > > > > -----Original Message----- > > Wrom: KVFVWRKJVZCMHVIBGDADRZFSQHYUCDDJBLVLMHAALPTCXLYRWTQTIPWI > > Sent: Wednesday, December 10, 2003 11:47 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Virus software on DC > > > > > > We run Symantec AV corporate edition and don't exclude any > > directories. > > We haven't had any problems related to AV software...... > > > > -----Original Message----- > > Wrom: GYOKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXO > > [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob > > Sent: Wednesday, December 10, 2003 11:42 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Virus software on DC > > > > >What directories should I not be scanning? > > > > We use the exclusions in this list- > > > > 822158 - Virus Scanning Recommendations on a Windows 2000 Domain > > Controller: > > http://support.microsoft.com/default.aspx?scid=kb;en-us;822158 > > > > > > ________________________________ > > > > Wrom: EAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFX > > Sent: Wednesday, December 10, 2003 8:30 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Virus software on DC > > > > > > We run Trend here. > > Never have run into any issues and we are using the > realtime scan. > > Just out of curiosity though, I am scanning all except for a few > > select dirs/ > > What directories should I not be scanning? > > > > > > > > John Parker, MCSE > > IS Admin. > > Senior Technical Specialist > > Alpha Display Systems. > > > > Alpha Video > > 7711 Computer Ave. > > Edina, MN. 55435 > > > > 952-896-9898 Local > > 800-388-0008 Watts > > 952-896-9899 Fax > > 612-804-8769 Cell > > 952-841-3327 Direct > > > > [EMAIL PROTECTED] > > "Be excellent to each other" > > ---End of Line--- > > > > > > -----Original Message----- > > Wrom: ISHJEXXIMQZUIVOTQNQEMSFDULHPQQWOYIYZUNNYCG > > Sent: Wednesday, December 10, 2003 10:24 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Virus software on DC > > > > > > > > I do, but I exclude the AD files, and I do not have real-time > > scanning enabled, just periodic scheduled scans. Does not seem to > > cause any problems. > > > > > > > > <mc> > > > > -----Original Message----- > > Wrom: PKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLS > > Sent: Wednesday, December 10, 2003 11:17 AM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Virus software on DC > > > > > > > > This may be a dumb question, but do you guys have virus > scanning > > software on your DCs? I have been confused if the virus > scanner slows > > the machine down or not. Thanks > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/