Microsoft KB Archive/248840

= Possible Security Problem in LDAP_ANONYMOUS Account =

Article ID: 248840

Article Last Modified on 9/23/2005

-

APPLIES TO


 * Microsoft Site Server 3.0 Standard Edition

-



This article was previously published under Q248840



SYMPTOMS
The LDAP_ANONYMOUS user account password is exposed in the registry in plain text. Anyone who has installed Site Server would have knowledge of the username and password (that is, password is always the same).



CAUSE
This password is hard coded in the software. Maintaining the password through the registry setting has no effect.

Registry settings are located at: HKLM/SYSTEM/CurrentControlSet/Services/LDAPSVC/paramaters



RESOLUTION
To resolve this problem, obtain the latest service pack for Site Server version 3.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

219292 How to Obtain the Latest Site Server 3.0 Service Pack



STATUS
Microsoft has confirmed that this is a problem in Site Server 3.0. This problem was first corrected in Site Server 3.0 Service Pack 4.



MORE INFORMATION
This implementation generates a random password for the LDAP_ANONYMOUS account every time the ldapsvc is started. The Registry setting mentioned in the "Cause" section is no longer used.

Keywords: kbbug kbfix kbqfe kbsiteserv300sp4fix kbhotfixserver KB248840

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.