UCF STIG Viewer Logo

Anonymous access to the root DSE of a non-public directory must be disabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14797 DS00.3131_AD SV-16172r3_rule ECAN-1 ECCD-1 ECCD-2 Low
Description
Allowing anonymous access to the root DSE data on a directory server provides potential attackers with a number of details about the configuration and data contents of a directory. For example, the namingContexts attribute indicates the directory space contained in the directory; the supportedLDAPVersion attribute indicates which versions of the LDAP protocol the server supports; and the supportedSASLMechanisms attribute indicates the names of supported authentication mechanisms. An attacker with this information may be able to select more precisely targeted attack tools or higher value targets.
STIG Date
Active Directory Service 2003 Security Technical Implementation Guide (STIG) 2011-05-20

Details

Check Text ( C-14089r2_chk )
At this time, mark this check as a finding for all Windows domain controllers for sensitive or classified levels because Microsoft's AD or AD DS does not provide a method to restrict anonymous access to the root DSE on domain controllers.

1. With the assistance of the application SA, execute an LDAP browser utility that allows an account to be specified to access the directory.

2. Some client technologies may use default credentials if none are specified. The correct method must be used to ensure anonymous access is actually invoked.

3. On Windows systems, the “ldp.exe” utility from the Windows Support Tools can be used. See the directions for “ldp.exe” below.

4. Using the LDAP browser and specifying anonymous access (through the technology or tool-specific method), search the directory for the root DSE by specifying a null search base and a search scope of “base”.

5. If the LDAP browser displays information from the root DSE under anonymous access, then this is a finding.

Supplemental Notes:

- To use the “ldp.exe” utility to attempt an anonymous query of the root DSE:
-- From the Connection menu item, select Connect.
-- On the Connect dialog, enter the Server name and the correct port (usually 389 or 636), and select OK.
-- From the Connection menu item, select Bind.
-- Clear the User, Password, and Domain fields, the Domain checkbox, and select OK.
-- Ensure that “ldap_simple_bind” and “Authenticated as dn:’Null’” is displayed.
-- From the Browse menu item, select Search.
-- On the Search dialog, select Options.
-- On the Search Options dialog, clear the Attributes field and select OK.
-- On the Search dialog, clear the Base DN field; select the Base checkbox; set Filter to “(objectclass=*)”; and select Run.
-- Ensure that “Getting 1 entries:” is displayed.
-- If root DSE attributes (such as namingContexts) are displayed, anonymous access to the root DSE is enabled.
Fix Text (F-15004r2_fix)
Disable anonymous access to the root DSE of a non-public directory.