Anonymous Queries
If you want users outside the Windows 2000 forest to be able to query Active Directory for white pages–type lookups, you can enable anonymous access to specific directory objects. In Active Directory, anonymous access can be enabled by making objects in a specific container or containers available to the Everyone group.
There are three key requirements for enabling anonymous access to Active Directory:
Server configuration . Read access must be granted to the Everyone group for the containers in Active Directory that are going to allow anonymous access.
Client configuration . An LDAP-compatible client, such as Windows Address Book, must be available to search in Active Directory.
Distinguished name format . Active Directory requires that clients use a search base that contains an LDAP distinguished name (called the "base DN"), which includes both the DNS domain name and the specific container to which anonymous access has been granted.
.gif "note-icon")
Note
For anonymous access to be available for Internet users, anonymous access must be enabled on the Internet Information Services (IIS) Web server.
Using Access Control to Enable Anonymous Access
You can use access control to allow access to certain objects that you want to make available to anonymous users. You can do so by granting read access to the Everyone group for a container object that stores the public objects.
Members of the Everyone Group
In Active Directory, users who log on with authentication are automatically included in the Authenticated Users group. Users who log on without authentication are represented as Anonymous Logon. Users who log on as Guest are included in the Domain Guests group. In all cases, the users are members of the Everyone group. Therefore, providing access to the Everyone group covers all potential anonymous users in addition to all authenticated users.
Note
On all computers that run Windows 2000 or Windows NT, there is a built-in Guest account, which does not require a password (the password can be blank) and is meant to be shared by users who do not have personal accounts. These users are, in a sense, anonymous users. The Guest account is disabled by default.
By default, the Everyone group has read access to the domain object and its properties, but the access is not inherited by child containers. This access is enabled so that a user can log on anonymously in the event the user's password expires. When a password expires, the password must be changed before the user can log on. To change the password, the user must connect to the domain and change the password by providing the old password and the new password. Because the password has expired, this operation can proceed only if the user is able to connect anonymously.
.gif "caution-icon")
Caution
Avoid granting anonymous access to the domain-level container at any level other than "this object only," which is the default setting. By using this default setting, you enable all users to read the properties of the domain object itself but not see any of the objects below it in the hierarchy.
Assigning Read Access for Everyone
By granting the Everyone group read access to a specific container of objects, you can enable anonymous access to only that portion of Active Directory. You can use Active Directory Users and Computers to assign access control to a container in which you have placed the user objects that you want to make available for public access. To see the security options, enable Advanced Features .
To enable anonymous access to an Active Directory container
In the Active Directory Users and Computers console, if Advanced Features is not enabled, on the View menu, click Advanced Features .
Right-click the container to which you want to provide anonymous access.
Click Properties , click the Security tab, and then click Advanced .
In the Permission Entries box, if the Everyone group is not listed, click Add . In the Name column, click Everyone , and then click OK .In the Permission Entry for ContainerName dialog box, click the Properties tab.
In the Apply onto list, click User objects .
In the Permissions list, in the Allow column, click the permission or permissions that you want to allow (for example, Read General Information ). Then click OK .
On every security warning message that appears, if any, click Yes .
In the Access Control Settings dialog box, click OK .
Caution
Enabling anonymous queries weakens the inherent security in an Active Directory environment. Special care should be taken when you are deciding what containers and attributes are to be exposed to anonymous users.
Granting Read All Properties for Anonymous Queries
The built-in group Pre-Windows 2000 Compatible Access has Read All Properties access on user and group objects. By default, the Everyone group is not a member of this group. If you want to grant this level of access to anonymous users, you can add Everyone to this group. By doing so, you allow anonymous read access to all properties of all user and group objects. For more information about access control, see "Access Control" in this book.
Security Precautions for Anonymous Access
Any time that anonymous access is enabled where Internet access is available, it is critical to domain security that firewalls be configured to protect the ports that are used to gain entry to Active Directory.
A firewall is a combination of hardware and software that provides a security system, usually to prevent unauthorized access from the Internet to an internal network. A firewall prevents direct communication between network and external computers by routing communication through a proxy server outside the network. The proxy server determines whether it is safe to let a file pass through to the network.
Firewalls should be configured to protect the following ports:
Port 389 for LDAP
Port 636 for LDAP over Secure Sockets Layer (SSL)
Port 3268 for the Global Catalog
Port 3269 for the Global Catalog over SSL
For more information about configuring firewalls, see "Internet Protocol Security" in the TCP/IP Core Networking Guide .