UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Anonymous Access to AD forest data above the rootDSE level must be disabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-8555 AD.0230 SV-9052r3_rule ECAN-1 ECCD-1 ECCD-2 Medium
Description
For Windows Server 2003 or above, the dsHeuristics option can be configured to override the default restriction on anonymous access to AD data above the rootDSE level. Anonymous access to AD data could provide valuable account or configuration information to an intruder trying to determine the most effective attack strategies.
STIG Date
Active Directory Forest Security Technical Implementation Guide (STIG) 2011-05-12

Details

Check Text ( C-7713r3_chk )
1. At the command line prompt enter (on a single line):
dsquery * "cn=Directory Service,
cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -scope base -attr *

(Where dc=[forest-name] is the fully qualified LDAP name of the root of the domain being reviewed.)

Example:
The following is an example of the dsquery command for the vcfn.ost.com forest.

dsquery * "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, dc=vcfn,dc=ost,dc=com -scope base -attr *

2. If the dsHeuristics attribute is listed, note the assigned value.

3. If the dsHeuristics attribute is defined and has a “2” as the 7th character, then this is a finding.

Examples of values that would be a finding as follows:
“0000002”, “0010002”, “0000002000001”.
(The 7th character controls anonymous access.)

Supplementary Notes:
Domain controllers have this option disabled by default. However, this check verifies that the option has not been enabled.

The dsHeuristics option can be configured with the Windows Support Tools Active Directory Service Interfaces Editor (ADSI Edit) console (adsiedit.msc).
Fix Text (F-8074r2_fix)
Disable anonymous access to AD forest data above the rootDSE level.