Neither that I recall. CPU was around 30-40%. In my experience it is not uncommon to see occasional LDAP errors when the CPU reaches that level on DCs (at least with W2K).
Robbie Allen > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gil > Kirkpatrick > Sent: Thursday, December 11, 2003 6:37 PM > To: '[EMAIL PROTECTED]' > Subject: RE: AD as a possible target of attack? RE: > [ActiveDir] Virus soft wareon DC > > I usually have to run about 10 authentication threads on each > of 5 machines to get the CPU over 50% on my 1GHz P3 server. Of course the DIT is > essentially empty. I suppose that having them issue some > complex query over a large DIT would alter that picture substantially. > > That's interesting that clients were getting intermittent > errors even though the CPU wasn't pegged. Was the disk or network saturated? > > -g > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen > (rallen) > Sent: Thursday, December 11, 2003 4:00 PM > To: [EMAIL PROTECTED] > Subject: RE: AD as a possible target of attack? RE: > [ActiveDir] Virus soft > wareon DC > > > I don't think it would take all that many clients if they > used a threaded > app that spawned a bunch of simultaneous sessions to > different DCs. Heck, > I've seen a single client cause the number of queries per > second on a DC to > go from 80 to ~1000 for a 30 minute span. Now this didn't > cause the CPU to > spike greatly, but it did cause other clients using that DC to get > intermittent AD/LDAP errors. > > As far as denying IPs, that was available in W2K, but it was > removed (at > least from ntdsutil) in W2K3. I was told that it wouldn't be > supported > anymore in W2K3 (I haven't tested to see if it works still). > That would be > unfortunate if it isn't supported. > > Robbie Allen > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Gil > > Kirkpatrick > > Sent: Thursday, December 11, 2003 5:38 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: AD as a possible target of attack? RE: > > [ActiveDir] Virus soft wareon DC > > > > The problem with the built-in security model is that in most > > environments > > its easy to get around it by using one of the various LocalSystem > > escalations on the DC. All of a sudden the ACLs are > > meaningless, and AD will > > happily replicate the corrupted data for you. > > > > Its hard to do a system wide denial-of-service by flooding > > the DCs with > > queries (I assume this is what you were talking about) > > because of the number > > of clients you would have to bring to bear. It takes a lot of > > clients to > > generate enough traffic to kill a DC, and a lot more to kill > > all the DCs in > > the system. And if the clients are connected to the DCs via > slower WAN > > links, its probably impossible. > > > > You can disable anonymous queries (already done by default in > > W2K3), and you > > can configure IP addresses to deny connections from, but I > > don't know of a > > way to limit the number of LDAP queries per second. Sounds > like a cool > > feature. > > > > -gil > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Roger Seielstad > > Sent: Thursday, December 11, 2003 2:36 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: AD as a possible target of attack? RE: > > [ActiveDir] Virus soft > > wareon DC > > > > > > I'm not as worried about malicious, entry changing attacks > > due to the built > > in security model. Its cake and pie to do a denial of service > > attack against > > an LDAP system. Add to that a simple DNS query to find all > > the DC's, and the > > whole domain drops like a lead filled balloon. > > > > Is there a way to limit the number of LDAP queries per second > > on a DC, at > > least from a specific source address? > > > > Roger > > -------------------------------------------------------------- > > Roger D. Seielstad - MTS MCSE MS-MVP > > Sr. Systems Administrator > > Inovis Inc. > > > > > > > -----Original Message----- > > > From: GRILLENMEIER,GUIDO (HP-Germany,ex1) > > > [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, December 11, 2003 4:14 PM > > > To: [EMAIL PROTECTED] > > > Subject: RE: AD as a possible target of attack? RE: > > > [ActiveDir] Virus soft wareon DC > > > > > > > > > I don't even think you have to restrict the AD-related > virus issue > > > to the file-system. > > > > > > Something that your AV tools won't help you with is a > "virus", that > > > simply runs malicious LDAP queries - i.e. changing all kinds of > > attributes on > > > objects in AD or even delete a whole lot of objects at > > > once... Obviously > > > this virus would only be harmful for users with appropriate > > > permissions on > > > the AD objects. > > > > > > Again, AD will ensure that these malicious changes are > replicated to > > > all DCs and you could end up with quite a disaster which is > > > certainly not very easy > > > to recover of. > > > > > > /Guido > > > > > > -----Original Message----- > > > From: Tony Murray [mailto:[EMAIL PROTECTED] > > > Sent: Donnerstag, 11. Dezember 2003 14:55 > > > To: [EMAIL PROTECTED] > > > Subject: Re: AD as a possible target of attack? RE: > > [ActiveDir] Virus > > > softwareon DC > > > > > > > DO scan your DCs and reconsider excluding things like the Sysvol > > > > > > I fully agree with you here, John. I have seen for > myself how good > > > FRS is at distributing viruses throughout the infrastructure in > > > short period of > > > time!! Some of the major AV vendors previously had products > > > that caused > > > problems when scanning SYSVOL, but the recent offerings have > > > resolved this. > > > Bottom line: there is no good reason not to include SYSVOL > > > (as long as > > > you've checked with your AV vendor first). > > > > > > Tony > > > > > > ---------- Original Message ---------------------------------- > > > Wrom: NNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXU > > > Reply-To: [EMAIL PROTECTED] > > > Date: Wed, 10 Dec 2003 23:18:52 +0100 > > > > > > I totally agree with all the guys out there that urge you > > to scan your > > > DCs!!! I've been thinking about this issue for some time > > and I've come > > > to the conclusion that Active Directory would be THE IDEAL target > > > for a virus attack. The robustness of AD replication makes it the > > > ideal distribution > > > mechanism for virusses. Hey ... distributing virusses by mail > > > is ancient > > > technology ;-). Why not use the intense integration of > > > Exchange 2000+ and AD > > > to transport a virus from Exchange to AD? > > > > > > No guys... I'm very serious! DO scan your DCs and > > reconsider excluding > > > things like the Sysvol because this is another possible > > target for the > > > sick minds out there that like to screw up enterprise > environments! > > > It's only a matter of time before the first AD virus is a fact of > > > life we have to deal > > > with! > > > > > > So go out and check (before you go to bed) whether or not > dat-file > > > updates are really succeeding ;-). > > > > > > Cheers! > > > John > > > > > > > > > -----Original Message----- > > > Wrom: WLSZLKBRNVW > > > To: [EMAIL PROTECTED] > > > Sent: 10-12-2003 18:07 > > > Subject: RE: [ActiveDir] Virus software on DC > > > > > > Sorry, I have to throw-in my two cents. I exclude the > sysvol/sysvol > > > folder and sub-folders, but run the real-time scanner on > everything > > > else. These two folders deal with replication and are too > > volatile to > > > play with. > > > > > > S > > > > > > ***************************************** > > > Steve Shaff > > > Active Directory / Exchange Administrator > > > Corillian Corporation > > > (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 > > > > > > > > > -----Original Message----- > > > Wrom: WCUFPEGAUTFJMVRESKPNKMBIPBARHDMNNS > > > [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, > > > Jeremy [contractor] > > > Sent: Wednesday, December 10, 2003 8:52 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] Virus software on DC > > > > > > Same here, never had any problems either. > > > > > > Jeremy > > > > > > -----Original Message----- > > > Wrom: KVFVWRKJVZCMHVIBGDADRZFSQHYUCDDJBLVLMHAALPTCXLYRWTQTIPWI > > > Sent: Wednesday, December 10, 2003 11:47 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] Virus software on DC > > > > > > > > > We run Symantec AV corporate edition and don't exclude any > > > directories. We haven't had any problems related to AV > > > software...... > > > > > > -----Original Message----- > > > Wrom: GYOKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXO > > > [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob > > > Sent: Wednesday, December 10, 2003 11:42 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] Virus software on DC > > > > > > >What directories should I not be scanning? > > > > > > We use the exclusions in this list- > > > > > > 822158 - Virus Scanning Recommendations on a Windows 2000 Domain > > > Controller: > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;822158 > > > > > > > > > ________________________________ > > > > > > Wrom: EAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFX > > > Sent: Wednesday, December 10, 2003 8:30 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] Virus software on DC > > > > > > > > > We run Trend here. > > > Never have run into any issues and we are using the > > realtime scan. > > > Just out of curiosity though, I am scanning all except > for a few > > > select dirs/ > > > What directories should I not be scanning? > > > > > > > > > > > > John Parker, MCSE > > > IS Admin. > > > Senior Technical Specialist > > > Alpha Display Systems. > > > > > > Alpha Video > > > 7711 Computer Ave. > > > Edina, MN. 55435 > > > > > > 952-896-9898 Local > > > 800-388-0008 Watts > > > 952-896-9899 Fax > > > 612-804-8769 Cell > > > 952-841-3327 Direct > > > > > > [EMAIL PROTECTED] > > > "Be excellent to each other" > > > ---End of Line--- > > > > > > > > > -----Original Message----- > > > Wrom: ISHJEXXIMQZUIVOTQNQEMSFDULHPQQWOYIYZUNNYCG > > > Sent: Wednesday, December 10, 2003 10:24 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] Virus software on DC > > > > > > > > > > > > I do, but I exclude the AD files, and I do not have real-time > > > scanning enabled, just periodic scheduled scans. Does not seem to > > > cause any problems. > > > > > > > > > > > > <mc> > > > > > > -----Original Message----- > > > Wrom: PKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLS > > > Sent: Wednesday, December 10, 2003 11:17 AM > > > To: [EMAIL PROTECTED] > > > Subject: [ActiveDir] Virus software on DC > > > > > > > > > > > > This may be a dumb question, but do you guys have virus > > scanning > > > software on your DCs? I have been confused if the virus > > scanner slows > > > the machine down or not. Thanks > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > > List info : > > > http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > List info : > > > http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/