remove anoymous LDAP access

[cameramonkey]

A while back anonymous LDAP access was turned on in our domain using the DsHeuristics key referenced here:

http://support.microsoft.com/kb/326690/

What is the best way to turn NULL binding back off to reset it to default so that you cant query the LDAP anonymously anymore?

Since the default is 0 due to it not existing, do I just delete the DsHeuristics key so that it reverts back to 0 "naturally", or do I change it from 2 to 0?

What is the best way to do that?

 

[PScottC]

dSHeuristics is an attribute of "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=<yourdomai>n,DC=<tld>".

Simply go to the properties of that object using ADSIEdit, select the attribute from the list, click on edit, then click the 'clear' button.

That will set the attribute back to null.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[cameramonkey]

Thanks, I should have paid more attention.

 

[ITPangaeaArchitect]

as an extra thought, and im sure this is the case, ensure the domain controllers policy disables anonymous access, and that everyone includes anonoymous is also not enabled.

-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+