|Applies To||Keon Certificate Authority 6.5.1|
Microsoft Windows 2000 Server
Sun Solaris 2.8
Vulnerability LDAP monitor information gathering details at http://xforce.iss.net/xforce/xfdb/1419 from Internet Security Systems
|Issue||How to disable the cn=monitor branch in the Keon Certificate Authority internal LDAP server|
|Cause||An attacker could access the Lightweight Directory Access Protocol (LDAP) monitor to gain information about the LDAP server. The LDAP server dumps monitoring information about connections, the number of back-ends, and which users are logged on. An attacker could use this information to access directory listings and plan further attacks.|
|Resolution||In the 'System Configuration' workbench, click the 'LDAP rules' link on the left; the 'LDAP Access Control Rules' will be shown. At the beginning of the rules, add the following line:|
access to dn="cn=monitor" by dn=".*" none
Then click save to save the rules. This rule will deny all access to the object. You can change the rule to allow access by certain users by specifying the MD5 value of the certificate as with other entries in the ACL list. However, there is no functional requirement for KCA for access to this location.
NOTE: Make sure you have a backup copy of the ACL text before you make the change, since if you make a mistake, you can lock yourself out of the entire system, and you would need to restore from a full backup.
NOTE: Make sure you add the rule at the top; if you add it at the bottom, it will have no effect.
|Legacy Article ID||a27588|