| 1. Use either the ntdsutil.exe or the dsquery.exe utility to display the value for MaxConnIdleTime in the lDAPAdminLimits attribute. (See instructions in Supplementary Notes.) |
2. If the value for MaxConnIdleTime is greater than 300 (the value for five minutes) or it is not specified, then this is a finding.
To use the “ntdsutil.exe” utility to display MaxConnIdleTime:
1. At a command line prompt enter ntdsutil
2. At the “ntdsutil:” prompt, enter LDAP policies
3. At the “ldap policy:” prompt, enter connections
4. At the “server connections:” prompt, enter connect to server [host-name]
(Where [host-name] is the computer name of the domain controller.)
5. At the “server connections:” prompt, enter q
6. At the “ldap policy:” prompt, enter show values
7. Enter q at the “ldap policy:” and “ntdsutil:” prompts to exit.
To use the “dsquery.exe” utility to display MaxConnIdleTime:
1. At a command line prompt enter (on a single line):
dsquery * “cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" attr lDAPAdminLimits
(Where the quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed.)