Anonymous Enumeration: a serious threat to Active Directory

From: Eric Anderson (ikillspammers_at_radioufs.cheetah.com)
Date: 11/08/03

  • Next message: Colonel Flagg: "Re: Google and NTTP Posting Host" 
    Date: Sat, 8 Nov 2003 22:58:27 +0100

    Hello

    I'm trying to test Windows 2003 security. I've set up an Active Directory
    and subjected it to non-firewalled access from internet to see how it would
    survive.
    Some policies i set up:

          Network access: Allow anonymous SID/Name translation Disabled
          Network access: Do not allow anonymous enumeration of SAM accounts
    Enabled
          Network access: Do not allow anonymous enumeration of SAM accounts and
    shares Enabled
          Network access: Let Everyone permissions apply to anonymous users
    Disabled
          Network access: Restrict anonymous access to Named Pipes and Shares
    Enabled

    BUT: to my shocking revolution I found out it could enumerate data from my
    active directory despite this.

    MY QUESTION: How can i protect my Active Directory from Anonymous
    Enumeration?

    The logentry is included:

    Event Type: Success Audit
    Event Source: Security
    Event Category: Directory Service Access
    Event ID: 565
    Date: 2003-11-08
    Time: 21:00:08
    User: NT AUTHORITY\ANONYMOUS LOGON
    Computer: <My Computer>
    Description:
    Object Open:
      Object Server: Security Account Manager
      Object Type: SAM_SERVER
      Object Name: CN=Server,CN=System,DC=<Mydomain>,DC=<MyD>,DC=<TLD>
      Handle ID: 51442368
      Operation ID: {0,1796199}
      Process ID: 572
      Process Name: C:\WINDOWS\system32\lsass.exe
      Primary User Name: SALLY$
      Primary Domain: <My Domain>
      Primary Logon ID: (0x0,0x3E7)
      Client User Name: ANONYMOUS LOGON
      Client Domain: NT AUTHORITY
      Client Logon ID: (0x0,0x1B6671)
      Accesses: READ_CONTROL
       InitializeServer
       EnumerateDomains
       Undefined Access (no effect) Bit 7

      Privileges: -

      Properties: 

    ---
 samServer
  Access Mask: 0
Regards
Eric
(Remove the fast cat to mail me!)
  • Next message: Colonel Flagg: "Re: Google and NTTP Posting Host"

    Relevant Pages

    • RE: Event ID 529 on cleint workstation
      ... Security Event ID 529 is a failure audit for logon/logoff. ... "logon events" generate the events on domain controllers for domain account ... The Event 529 was caused by the machine account password not being ... I suggest that you re-join the client to ...
      (microsoft.public.windows.server.sbs)
    • Re: Cant delegate/share to a group
      ... Try changing the Distribution group to a security group. ... The client operation failed". ... > Event Type: Success Audit ... > Successful Network Logon: ...
      (microsoft.public.exchange2000.general)
    • Re: Cant delegate/share to a group
      ... Try changing the Distribution group to a security group. ... The client operation failed". ... > Event Type: Success Audit ... > Successful Network Logon: ...
      (microsoft.public.backoffice.smallbiz2000)
    • RE: Windows 2003 Prescriptive Guidance Question
      ... What kind of client are you TS-ing from? ... client tool to have it remember your last logon or to send specific logon ... Product Support Services, Security Team ... Windows 2003 Prescriptive Guidance Question ...
      (microsoft.public.win2000.security)
    • RE: Profiles not found or updated - recent
      ... I have the same security eventid 565 events with a customer I migrated from ... The roaming profile problem does not happen there. ... > Object Type: Microsoft Exchange Logon ... > Client User Name: Karon ...
      (microsoft.public.windows.server.sbs)
    • Quantcast