LDAP-NullBase Anonymous Access

[Marty Henderson]

There is a known LDAP "hole" which allows anonymous root query to any LDAP
server. ( See http://xforce.iss.net/xforce/xfdb/1425 ) Is there a way, in a
Windows 2000 Server Active Directory domain, to plug LDAP null/anonymous
access? This is on a government contract installation and the security folks
are "nervous" about it, even if no real useful domain info is returned by
the query.

Thanks,

Marty Henderson

 

[Steven L Umbach]

Hi Marty. This KB article may be of interest. I don't know for sure if it
will meet your requirement but worth a look. --Steve

http://support.microsoft.com/?kbid=246261

 

[Robin Caron]

I think that if you read the RFC you'll see that an LDAP compliant directory
must allow anonymous access to this information.

For that reason there is no way to restrict access to this information with
Windows 2000.