Possible Security Problem in LDAP_ANONYMOUS Account (248840)


The information in this article applies to:

  • Microsoft Site Server 3.0
This article was previously published under Q248840

SYMPTOMS

The LDAP_ANONYMOUS user account password is exposed in the registry in plain text. Anyone who has installed Site Server would have knowledge of the username and password (that is, password is always the same).

CAUSE

This password is hard coded in the software. Maintaining the password through the registry setting has no effect.

Registry settings are located at: 
HKLM/SYSTEM/CurrentControlSet/Services/LDAPSVC/paramaters

RESOLUTION

To resolve this problem, obtain the latest service pack for Site Server version 3.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

219292 How to Obtain the Latest Site Server 3.0 Service Pack


STATUS

Microsoft has confirmed that this is a problem in Site Server 3.0. This problem was first corrected in Site Server 3.0 Service Pack 4.

MORE INFORMATION

This implementation generates a random password for the LDAP_ANONYMOUS account every time the ldapsvc is started. The Registry setting mentioned in the "Cause" section is no longer used.
Modification Type:MinorLast Reviewed:9/23/2005
Keywords:kbHotfixServer kbQFE kbbug kbfix kbQFE kbSiteServ300sp4fix KB248840
©2004 Microsoft Corporation. All rights reserved.