none
AD Queries to block

    Question

  •  Hello All,

    All the Active Directory have read-only access to the AD. But recently we found that a user who is joined by a non-domain (WORKGROUP) machine. can query to all the LDAP servers via PowerShell queries they have easily got the information about all users, groups, computers and all the DC's IP and HOSTNAME. If they modified the queries surely they can get much detailed information.

    I would like to know, can we secure the LDAP so it doesn't provide any information when they are queried by non-domain joined machine or users. 

    on Network side, NAC exploration is in progress.


    Thanks HA

    Monday, June 4, 2018 11:41 AM

Answers

All replies

  • Normally, the Active Directory is read only to "Authenticated Users".  Does this user is using a domain account to make the query ?

    Also, does the local account and the password could be the same as an AD account ?

    You could activate audit in AD and then you could see what account is used to make the query

    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations


    This posting is provided AS IS without warranty of any kind

    Monday, June 4, 2018 12:21 PM
  • As noted, if the user has domain credentials, they can query AD even from a computer not joined to the domain (but on the network). They would first log into the client with a local account, but then specify their domain credentials in the PowerShell command.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Monday, June 4, 2018 1:11 PM
  • <g class="gr_ gr_65 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="65" id="65">User</g> is not using Domain Account, I am not sure about local account and password.

    As per my understanding But to fetch it needs to <g class="gr_ gr_167 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="167" id="167">authenticated</g> with <g class="gr_ gr_166 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="166" id="166">AD</g>.

    I will look at the document


    Thanks HA

    Monday, June 4, 2018 1:16 PM
  • I have received a more information it, They are using KaliLinux from a workgroup machine to query the LDAP servers.

    They are using anonymous access in the Kali Linux.

    When I check the Security permission I can see only Authenticated users read-only and not Anonymus access 


    Thanks HA

    Thursday, June 14, 2018 6:40 AM
  • > I would like to know, can we secure the LDAP so it doesn't provide any information when they are queried by non-domain joined machine or users.

    https://serverfault.com/questions/693279/disable-anonymous-bind-to-an-active-directory-on-windows-server-2012r2
    (check the links in the above post)

    • Marked as answer by Anup Ghonge Thursday, June 21, 2018 7:54 AM
    Thursday, June 14, 2018 12:01 PM