11-Nov-2005 00:46:02
Windows 2000 domain by default allows anonymous LDAP queries. How can an
administrator restrict this without affecting operations? Thanks.
For Windows 2003 look at:
http://support.microsoft.com/default.
aspx?scid=326690
In the same article they state:
<QUOTE>
The DsHeuristics setting applies to all Windows Server 2003-based
domain controllers in the same forest. The value is realized by
domain controllers upon Active Directory replication without
restarting Windows. Microsoft Windows 2000-based domain controllers
do not support this setting and do not restrict anonymous operations
if they are present in a Windows Server 2003-based forest.
<QUOTE>
IMHO: not possible to disable anonymous LDAP operations in W2K AD. If
possible you could still restrict access by making sure anonymous
does not have permissions on objects (directly or through
memberships) (e.g. through pre-Windows 2000 compat group)
Cheers,
# Jorge de Almeida Pinto #
