Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-14831 | DS00.3370_AD | SV-16171r2_rule | ECTM-1 ECTM-2 | Low |
Description |
---|
- The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker has to hijack the session, implement a means to passively intercept data, or compromise any protections on client access. For example, if an attacker gains control of a client computer, an existing (already authenticated) session with the directory server could allow access to the directory. The lack of confidentiality protection in LDAP-based sessions increases exposure to this vulnerability. |
STIG | Date |
---|---|
Active Directory Service 2008 Security Technical Implementation Guide (STIG) | 2011-05-23 |
Check Text ( C-14088r2_chk ) |
---|
1. Use either the ntdsutil.exe or the dsquery.exe utility to display the value for MaxConnIdleTime in the lDAPAdminLimits attribute. (See instructions in Supplementary Notes.) 2. If the value for MaxConnIdleTime is greater than 300 (the value for five minutes) or it is not specified, then this is a finding. Supplemental Notes: To use the “ntdsutil.exe” utility to display MaxConnIdleTime: 1. At a command line prompt enter ntdsutil 2. At the “ntdsutil:” prompt, enter LDAP policies 3. At the “ldap policy:” prompt, enter connections 4. At the “server connections:” prompt, enter connect to server [host-name] (Where [host-name] is the computer name of the domain controller.) 5. At the “server connections:” prompt, enter q 6. At the “ldap policy:” prompt, enter show values 7. Enter q at the “ldap policy:” and “ntdsutil:” prompts to exit. To use the “dsquery.exe” utility to display MaxConnIdleTime: 1. At a command line prompt enter (on a single line): dsquery * “cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" attr lDAPAdminLimits (Where the quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed.) |
Fix Text (F-15003r2_fix) |
---|
Configure the directory service to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity. |