Anonymous access to the root DSE of a non-public directory must be disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-14797	WN12-AD-000012-DC	SV-51186r1_rule	ECAN-1 ECCD-1 ECCD-2	Low

Description
Allowing anonymous access to the root DSE data on a directory server provides potential attackers with a number of details about the configuration and data contents of a directory. For example, the namingContexts attribute indicates the directory space contained in the directory; the supportedLDAPVersion attribute indicates which versions of the LDAP protocol the server supports; and the supportedSASLMechanisms attribute indicates the names of supported authentication mechanisms. An attacker with this information may be able to select more precisely targeted attack tools or higher value targets.

Description

Allowing anonymous access to the root DSE data on a directory server provides potential attackers with a number of details about the configuration and data contents of a directory. For example, the namingContexts attribute indicates the directory space contained in the directory; the supportedLDAPVersion attribute indicates which versions of the LDAP protocol the server supports; and the supportedSASLMechanisms attribute indicates the names of supported authentication mechanisms. An attacker with this information may be able to select more precisely targeted attack tools or higher value targets.

STIG	Date
Windows Server 2012 Domain Controller Security Technical Implementation Guide	2014-01-07

Details

Check Text ( C-46612r2_chk )
At this time, this is a finding for all Windows domain controllers for sensitive or classified levels as Windows Active Directory Domain Services (AD DS) does not provide a method to restrict anonymous access to the root DSE on domain controllers. The following can be used to verify anonymous access is allowed. Open a command prompt (not elevated). Run "ldp.exe". From the Connection menu, select Bind. Clear the User, Password, and Domain fields. Select Simple bind for the Bind type, Click OK. RootDSE attributes should display, such as various namingContexts. Confirmation of anonymous access will be displayed at the end: res = ldap_simple_bind_s Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'

Check Text ( C-46612r2_chk )

At this time, this is a finding for all Windows domain controllers for sensitive or classified levels as Windows Active Directory Domain Services (AD DS) does not provide a method to restrict anonymous access to the root DSE on domain controllers.

The following can be used to verify anonymous access is allowed.

Open a command prompt (not elevated).
Run "ldp.exe".
From the Connection menu, select Bind.
Clear the User, Password, and Domain fields.
Select Simple bind for the Bind type, Click OK.

RootDSE attributes should display, such as various namingContexts.

Confirmation of anonymous access will be displayed at the end:
res = ldap_simple_bind_s
Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'

Fix Text (F-44343r1_fix)
Implement network protections to reduce the risk of anonymous access. Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions. Premise firewall or host restrictions prevent access to ports 389, 636, 3268, and 3269 from client hosts not explicitly identified by domain (.mil) or IP address.