Access Control to LDAP on AD?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Is there a way to block certain user accounts from performing LDAP queries
on Active Directory?

If anyone could let me know I would be most appreciative.
 
I believe you can not realistically do that as an account will at times
be issuing Ldap queries, behind the scenes, sometimes against
the GCs, just to function as a domain client. Also, not all Ldap
queries are authenticated queries so if your objective is to
avoid a potential DoS from malicious queries they may try to
side-step your efforts using unauthenticated binds if they are
allowed to communicate with the ldap and gc ldap ports.
 
So, there's no solution?


Roger Abell said:
I believe you can not realistically do that as an account will at times
be issuing Ldap queries, behind the scenes, sometimes against
the GCs, just to function as a domain client. Also, not all Ldap
queries are authenticated queries so if your objective is to
avoid a potential DoS from malicious queries they may try to
side-step your efforts using unauthenticated binds if they are
allowed to communicate with the ldap and gc ldap ports.
Click to expand...
 
Apparently not. So someone writing a rogue LDAP query can bring down and
domain or enterprise with no ability to stop them. Great.
 
Denial of Service is always a possibility. Consider someone simply firing
off connections - the classic SYN attack - to overload your LDAP server.
Yes, that will cause your LDAP server to become unreliable, in the strictest
sense that sometimes it will respond to requests, and other times it will be
unable to do so.

As for "no ability to stop them", that's going rather far. All ("all") you
have to do is monitor your network for suspicious behaviour, track down the
perpetrator, and then march over there with a couple of security and HR
personnel so that you can fire his arse for breaching your corporate
security policy. You do have a corporate security policy, don't you? You
do have an IDS in place to monitor rogue traffic, yes?

Alun.
~~~~
 
There are also query policies that are already in place that help mitigate
DOS attacks via LDAP. It is possible to tighten these up even further
(limiting the number of query query threads, shortening time outs, etc.).
My experience is that people are more likely to do things to increase their
risk of DOS attack with these and decrease it (increasing maxPageSize and
query timeouts comes to mind), but they can go either way.

It may also be possible to severely limit the objects a normal user in the
domain can find via a search. The trick here is to make sure that it is not
so tightened down that the user no longer functions.

The original poster never explained their goal here, so it wasn't clear what
the right answer should be.

Joe K.
 
Hello,

Thanks for the suggestions. Basically, I'm finding my DC's occasionally
hanging LSASS at 99% and investigation has found that there are developers
using my AD for their security, but their LDAP queries are inefficient and
therefore causing the LSASS spike. It was taking down one of our workhorse
DC's on a regular basis until it was isolated. The problem is, we can't
just turn off access to LDAP, we have to see how we can prevent this from
happening. I just found another one a week ago, not as severe. I cranked
up the LDAP logging and found out who it was, and asked them to recode their
query, but I can't stop him from running it, and it's still happening every
night when his script runs.

I'm going to look into chaning the LDAP query timeouts or better yet,
recreate a new OU structure with access restrictions for object viewing, and
then all the developers will start coming out of the woodwork.

Again, thanks for the advice.
 
Sounds like you have the right strategy, particularly as you do
want especially the developers to have awareness of quality
of their queries.
 
Back
Top