Recipe 14.4 Restricting Hosts from Performing LDAP Queries

14.4.1 Problem

You want domain controllers to reject LDAP queries from certain IP addresses. This can be useful if you want to prohibit domain controllers from responding to LDAP queries for certain applications or hosts.

14.4.2 Solution

14.4.2.1 Using a command-line interface

This option is not present in the Windows Server 2003 version of ntdsutil.

The following adds network 10.0.0.0 with mask 255.255.255.0 to the IP deny list:

> ntdsutil "ipdeny list" conn "co t s <DomainControllerName>" q
IP Deny List: Add 10.0.0.0 255.255.255.0
*[1] 10.0.0.0 GROUP MASK      255.255.255.0

NOTE: * | D - uncommitted addition | deletion
IP Deny List: Commit
 [1] 10.10.10.0 GROUP MASK      255.255.255.0

NOTE: * | D - uncommitted addition | deletion

14.4.3 Discussion

The IP deny list is stored as an octet string in the lDAPIPDenyList attribute of a query policy. See Recipe 4.23 for more information on the LDAP query policy.

When the IP deny list is set, domain controllers that are using the default query policy will not respond to LDAP queries from any IP address specified in the deny list address range. To test whether a certain IP address would be denied, run Test x.x.x.x, where x.x.x.x is an IP address, from the IP Deny List: subcommand in ntdsutil.

By setting the IP deny list on the default query policy, you would effectively restrict the IP address range from querying any domain controller in the forest. If you need to only restrict queries for a specific domain controller, you'll need to create a new LDAP query policy and apply it to the domain controller.

14.4.4 See Also

Recipe 4.23 for more information on the LDAP query policy, and MS KB 314976 (HOW TO: Use the Ntdsutil Utility to Deny Access to IP Addresses in Windows 2000)



    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List