Possible Security Problem in LDAP_ANONYMOUS Account

ID: Q248840


SYMPTOMS

The LDAP_ANONYMOUS user account password is exposed in the registry in plain text. Anyone who has installed Site Server would have knowledge of the username and password (that is, password is always the same).


CAUSE

This password is hard coded in the software. Maintaining the password through the registry setting has no effect.

Registry settings are located at:


HKLM/SYSTEM/CurrentControlSet/Services/LDAPSVC/paramaters 


RESOLUTION

A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next Site Server service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://www.microsoft.com/support/supportnet/overview/overview.asp
The English version of this fix should have the following file attributes or later:

   Date        Time      Version       Size    File name     Platform
   ------------------------------------------------------------------
   12/01/1999  09:45a    7.0.1279.0    210,592 dscomobj.dll  x86
   12/01/1999  09:44a    7.0.1279.0    342,800 dscomobj.dll  alpha 


STATUS

Microsoft has confirmed this to be a problem in Site Server 3.0.


MORE INFORMATION

This implementation generates a random password for the LDAP_ANONOMOUS account every time the ldapsvc is started. The Registry setting mentioned in the "Cause" section is no longer used.

Additional query words:

Keywords :
Version :
Platform :
Issue type : kbbug


Last Reviewed: December 21, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.