UCF STIG Viewer Logo

Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14798 DS00.3130_AD SV-16173r3_rule ECAN-1 ECCD-1 ECCD-2 High
Description
To the extent that anonymous access to directory data (outside the root DSE) is permitted, read access control of the data is effectively disabled. If other means of controlling access (such as network restrictions) are compromised, there may be nothing else to protect the confidentiality of sensitive directory data.
STIG Date
Active Directory Service 2003 Security Technical Implementation Guide (STIG) 2011-05-20

Details

Check Text ( C-14090r4_chk )
1. With the assistance of the SA, execute an LDAP browser utility that allows an account to be specified to access the directory.

2. Some technologies may use default (logon) credentials if none are specified. The correct method must be used to ensure anonymous access is actually invoked.

3. On Windows systems, the “ldp.exe” utility from the Windows Support Tools or from the DISA IASE website) can be used. See the directions for “ldp.exe” below.

4. Using the LDAP browser and specifying anonymous access (through the tool-specific method), search the directory for the AD domain naming context.

5. The AD domain naming context is documented in the value of the defaultNamingContext attribute in the root DSE. Generally, this value is something like “dc=disaost,dc=mil”.

6. If the LDAP browser displays the AD domain naming context under anonymous access, then this is a finding.

Supplemental Notes:

- To use the “ldp.exe” utility to attempt an anonymous query of the root DSE:
- From the Connection menu item, select Connect.
- On the Connect dialog, enter the Server name and the correct port (usually 389 or 636), and select OK.
- From the Connection menu item, select Bind.
- Clear the User, Password, and Domain fields, the Domain checkbox, and select OK.
- Ensure that “ldap_simple_bind” and “Authenticated as dn:’Null’” is displayed.
- From the Browse menu item, select Search.
- On the Search dialog, select Options.
- On the Search Options dialog, clear the Attributes field and select OK.
- On the Search dialog, enter the DN of the domain naming context (generally something like “dc=disaost,dc=mil”) in the Base DN field and select Run.
- Ensure that “Getting n entries:” is displayed.
- If attribute data is displayed, anonymous access is enabled to the domain naming context.

For AD, there are multiple configuration items that could enable anonymous access.
1. For all Windows server OSs, changing the access permissions on the domain naming context object (from the secure defaults) could enable anonymous access. If the Check procedures indicate this is the cause, the process that was used to change the permissions should be reversed. This could have been through the Windows Support Tools ADSI Edit console (adsiedit.msc).

2. The dsHeuristics option is used. This is addressed in check V-8555 (DS.0230_AD) in the AD Forest STIG.
Fix Text (F-15005r2_fix)
Configure directory data (outside the root DSE) of a non-public directory to prevent anonymous access.