Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-14797 | DS00.3131_2003 | SV-16172r2_rule | ECAN-1 ECCD-1 ECCD-2 | Low |
Description |
---|
Allowing anonymous access to the root DSE data on a directory server provides potential attackers with a number of details about the configuration and data contents of a directory. For example, the namingContexts attribute indicates the directory space contained in the directory; the supportedLDAPVersion attribute indicates which versions of the LDAP protocol the server supports; and the supportedSASLMechanisms attribute indicates the names of supported authentication mechanisms. An attacker with this information may be able to select more precisely targeted attack tools or higher value targets. |
STIG | Date |
---|---|
Windows 2003 Domain Controller Security Technical Implementation Guide | 2014-04-02 |
Check Text ( C-14089r2_chk ) |
---|
At this time, mark this check as a finding for all Windows domain controllers for sensitive or classified levels because Microsoft's AD or AD DS does not provide a method to restrict anonymous access to the root DSE on domain controllers. 1. With the assistance of the application SA, execute an LDAP browser utility that allows an account to be specified to access the directory. 2. Some client technologies may use default credentials if none are specified. The correct method must be used to ensure anonymous access is actually invoked. 3. On Windows systems, the “ldp.exe” utility from the Windows Support Tools can be used. See the directions for “ldp.exe” below. 4. Using the LDAP browser and specifying anonymous access (through the technology or tool-specific method), search the directory for the root DSE by specifying a null search base and a search scope of “base”. 5. If the LDAP browser displays information from the root DSE under anonymous access, then this is a finding. Supplemental Notes: - To use the “ldp.exe” utility to attempt an anonymous query of the root DSE: -- From the Connection menu item, select Connect. -- On the Connect dialog, enter the Server name and the correct port (usually 389 or 636), and select OK. -- From the Connection menu item, select Bind. -- Clear the User, Password, and Domain fields, the Domain checkbox, and select OK. -- Ensure that “ldap_simple_bind” and “Authenticated as dn:’Null’” is displayed. -- From the Browse menu item, select Search. -- On the Search dialog, select Options. -- On the Search Options dialog, clear the Attributes field and select OK. -- On the Search dialog, clear the Base DN field; select the Base checkbox; set Filter to “(objectclass=*)”; and select Run. -- Ensure that “Getting 1 entries:” is displayed. -- If root DSE attributes (such as namingContexts) are displayed, anonymous access to the root DSE is enabled. |
Fix Text (F-45044r1_fix) |
---|
Implement network protections to reduce the risk of anonymous access. Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions. Premise firewall or host restrictions prevent access to ports 389, 636, 3268, and 3269 from client hosts not explicitly identified by domain (.mil) or IP address. |