+1
*ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker>* **Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market…*** On Tue, Apr 9, 2013 at 10:34 AM, Michael B. Smith <[email protected]>wrote: > Absolutely nothing, unless you’ve done this:**** > > ** ** > > http://support.microsoft.com/kb/935834**** > > ** ** > > But if that third party application is running in your forest already, it > doesn’t even need that.**** > > ** ** > > *From:* Christopher Bodnar [mailto:[email protected]] > *Sent:* Tuesday, April 9, 2013 10:28 AM > > *To:* NT System Admin Issues > *Subject:* RE: AD Simple LDAP authentication question**** > > ** ** > > I'm looking into this: > > http://technet.microsoft.com/en-us/library/cc778124(v=ws.10).aspx > > Which I wasn't aware of before. Looks like what I was interested in, but > then I read this: > > *"This setting does not have any impact on ldap_simple_bind or > ldap_simple_bind_s. No Microsoft LDAP clients that are shipped with Windows > XP Professional use ldap_simple_bind or ldap_simple_bind_s to talk to a > domain controller."* > > So for example if you use LDP to do a simple bind, it will use > ldap_simple_bind_s. So what is to stop a 3rd party application from sending > a request like that? > > **** > > *Christopher Bodnar* > Enterprise Architect I, Corporate Office of Technology:Enterprise > Architecture and Engineering Services **** > > Tel 610-807-6459 > 3900 Burgess Place, Bethlehem, PA 18017 > [email protected] **** > > > * > The Guardian Life Insurance Company of America* > * > *www.guardianlife.com **** > > > > > > > From: "Michael B. Smith" <[email protected]> > To: "NT System Admin Issues" <[email protected] > > > Date: 04/09/2013 09:58 AM > Subject: RE: AD Simple LDAP authentication question **** > ------------------------------ > > > > > +1 > > My question was directed more to the fact that any "Authenticated User" > has pretty much full read-access to AD anyway. > > -----Original Message----- > From: Ben Scott [mailto:[email protected] <[email protected]>] > Sent: Monday, April 8, 2013 7:14 PM > To: NT System Admin Issues > Subject: Re: AD Simple LDAP authentication question > > On Mon, Apr 8, 2013 at 4:03 PM, Christopher Bodnar < > [email protected]> wrote: > > I know that AD supports both Simple and SASL methods for LDAP binds: > > > > http://msdn.microsoft.com/en-us/library/cc223499.aspx > > > > What I was surprised is that there doesn't seem to be a way to disable > > the Simple method. It supports SSL/TLS but does not require it. Is that > correct? > > I don't really know, but I do know that our Windows 2008 R2 domain > controllers log the event below once a day. I know what's causing it and > haven't cared enough to do something about it. The link takes you to a KB > article which tells you how to require *signing*. It talks a lot about > simple binds but doesn't explicitly say that requiring signing also causes > it to reject simple binds, but seems to imply it pretty strongly. > > Source: ActiveDirectory_DomainService > Event ID: 2886 > --------------------------------------------------------------------- > The security of this directory server can be significantly enhanced by > configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or > Digest) LDAP binds that do not request signing (integrity > verification) and LDAP simple binds that are performed on a cleartext > (non-SSL/TLS-encrypted) connection. Even if no clients are using such > binds, configuring the server to reject them will improve the security of > this server. > > Some clients may currently be relying on unsigned SASL binds or LDAP > simple binds over a non-SSL/TLS connection, and will stop working if this > configuration change is made. To assist in identifying these clients, if > such binds occur this directory server will log a summary event once every > 24 hours indicating how many such binds occurred. > You are encouraged to configure those clients to not use such binds. > Once no such events are observed for an extended period, it is > recommended that you configure the server to reject such binds. > > For more details and information on how to make this configuration change > to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923. > > You can enable additional logging to log an event each time a client makes > such a bind, including information on which client made the bind. To do > so, please raise the setting for the "LDAP Interface Events" event logging > category to level 2 or higher. > ---------------------------------------------------------------------- > > FWIW, YMMV, HTH, HAND, AT&T. > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < > http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > ----------------------------------------- This message, and any > attachments to it, may contain information that is privileged, > confidential, and exempt from disclosure under applicable law. If the > reader of this message is not the intended recipient, you are notified that > any use, dissemination, distribution, copying, or communication of this > message is strictly prohibited. If you have received this message in error, > please notify the sender immediately by return e-mail and delete the > message and any attachments. Thank you. **** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image001.jpg>>
