000022238 - How to disable the cn=monitor branch in the Keon Certificate Authority internal LDAP server

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022238
Applies ToKeon Certificate Authority 6.5.1
Microsoft Windows 2000 Server
Sun Solaris 2.8
cn=monitor
Vulnerability LDAP monitor information gathering details at http://xforce.iss.net/xforce/xfdb/1419 from Internet Security Systems
IssueHow to disable the cn=monitor branch in the Keon Certificate Authority internal LDAP server
CauseAn attacker could access the Lightweight Directory Access Protocol (LDAP) monitor to gain information about the LDAP server. The LDAP server dumps monitoring information about connections, the number of back-ends, and which users are logged on. An attacker could use this information to access directory listings and plan further attacks.
ResolutionIn the 'System Configuration' workbench, click the 'LDAP rules' link on the left; the 'LDAP Access Control Rules' will be shown. At the beginning of the rules, add the following line:

    access to dn="cn=monitor" by dn=".*" none

Then click save to save the rules. This rule will deny all access to the object. You can change the rule to allow access by certain users by specifying the MD5 value of the certificate as with other entries in the ACL list. However, there is no functional requirement for KCA for access to this location.

NOTE: Make sure you have a backup copy of the ACL text before you make the change, since if you make a mistake, you can lock yourself out of the entire system, and you would need to restore from a full backup.

NOTE: Make sure you add the rule at the top; if you add it at the bottom, it will have no effect.
Legacy Article IDa27588

Attachments

    Outcomes