Mike.Vasquez at cityofmesa
Nov 14, 2007, 7:35 AM
Post #3 of 3
(433 views)
Permalink
|
I did some research on the issue and the information for me was
inconclusive --
I found this post:
http://www.derkeiler.com/Newsgroups/microsoft.public.win2000.security/2005-10/0239.html
Date: Wed, 19 Oct 2005 12:07:35 -0400
You can't disable anonymous/NULL bind. LDAP V3 requires it for the
rootdse.
However, a null bind doesn't necessarily give you access to domain or
config
data. In fact, if you are running Windows Server 2003 AD you have to
specifically enable anonymous access on the ACLs to retrieve data
Here's a kb article about anonymous ldap operations:
http://support.microsoft.com/kb/326690
Anonymous LDAP operations to Active Directory are disabled on Windows
Server 2003 domain controllers
SUMMARY
By default, anonymous Lightweight Directory Access Protocol (LDAP)
operations to Active Directory, other than rootDSE searches and binds, are
not permitted in Microsoft Windows Server 2003.
There's another nice article here:
http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm
Based on that information, I'm not convinced it's a great concern on
Win2k3. I would be interested in the impact of disabling it, per the
information provided. I'm a bit concerned about the possible fallout from
a change.
Thanks,
Mike
"George A. Theall" <theall [at] tenablesecurity>
Sent by: nessus-bounces [at] list
11/13/2007 07:52 PM
To
nessus [at] list
cc
Subject
Re: LDAP allows anonymous binds
On 11/13/07 12:30, PJ Bender wrote:
> When Nessus was run against our two Domain Controllers, we received
> the following report:
>
> *Synopsis*: It is possible to disclose LDAP information.
...
> *Solution*: Disable NULL BIND on your LDAP server
...
> I don?t think it is this problem.
FWIW, the plugin actually tries to query a server without authenticating
(ie, a "NULL BIND") and checks for a response. So it might be useful to
capture packets to/from the affected LDAP services and see what is being
returned.
> Can someone let me know where I can go to find a method(s) to disable
> the null bind on my Windows 2003 LDAP server(s)?
Have you searched Microsoft's site? For example: check out the
discussion of "dsHeuristics" in:
http://support.microsoft.com/kb/326690/
George
--
theall [at] tenablesecurity
_______________________________________________
Nessus mailing list
Nessus [at] list
http://mail.nessus.org/mailman/listinfo/nessus
|
