Re: AD Security ?

From: Joe Richards [MVP] (humorexpress@hotmail.com)
Date: 10/27/02

Next message: Joe Richards [MVP]: "Re: AD Delegation: Seeking guide to dssec.dat"
Previous message: Lynden Beesley: "blocking unwanted and unsolicited emails"
In reply to: klounsbury: "AD Security ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Joe Richards [MVP]" <humorexpress@hotmail.com>
Date: Sun, 27 Oct 2002 11:15:39 -0500

LDAP NULL base is called RootDSE. It is purposely open to anonymous access
so machines can get a starting point to figure things out so they can
function properly. I am not aware of any method to lock this down in Active
Directory nor would I really recommend it even if I did know of a way. A LOT
of programs use ROOTDSE in an anonymous manner.

If your other naming contexts were wide open to anonymous access I would be
a little concerned but very little info can be ascertained from the rest of
the directory this way.

Possibly I would ask the scanners what specific exploits they are aware of
that this could be a problem for. A lot of those scanner folks think that
any info gained is automatically bad irregardless of anything else. This may
be the case for top secret government systems or systems sitting on the
internet but for most folks it really isn't an issue. If it is an issue the
companies that are worried will generally sacrifice massive amounts of
useability for security.

If you would like to see what they can gain through looking at the null base
or actually any part of your AD, go to www.joeware.net and on the free win32
tools there is a tool called adfind, grab it and run the following command
against your server:

adfind -h <servername or ip address> -simple -b "" -s base

For example:

[Sun 10/27/2002 10:39:19.42]
G:\Dev\cpp\SidToName>adfind -h w2kasdc1 -simple -b "" -s base

AdFind V01.08.00cpp Joe Richards (joe@joeware.net) September 2002

Using server: w2kasdc1.joehome.com

dn:
>currentTime: 20021027161225.0Z
>subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=joehome,DC=com
>dsServiceName: CN=NTDS
Settings,CN=W2KASDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
guration,DC=joehome,DC=com
>namingContexts: CN=Schema,CN=Configuration,DC=joehome,DC=com
>namingContexts: CN=Configuration,DC=joehome,DC=com
>namingContexts: DC=joehome,DC=com
>defaultNamingContext: DC=joehome,DC=com
>schemaNamingContext: CN=Schema,CN=Configuration,DC=joehome,DC=com
>configurationNamingContext: CN=Configuration,DC=joehome,DC=com
>rootDomainNamingContext: DC=joehome,DC=com
>supportedControl: 1.2.840.113556.1.4.319
>supportedControl: 1.2.840.113556.1.4.801
<SNIP>

If you see anything in there that you are worried about people getting to
that can reach that host with an LDAP query (i.e. a machine on the intranet
should not be visible to a machine on the internet with LDAP so that would
be a moot issue) then you need to worry about locking down and you would do
so with firewalls, VPN's, or other network protection schemes.

joe

--
Joe Richards
www.joeware.net
---
"klounsbury" <klounsbury22@nospam.hotmail.com> wrote in message
news:MPG.181e4c0e33fb7b44989686@msnews.microsoft.com...
> [This followup was posted to microsoft.public.win2000.security and
> a copy was sent to the cited author.]
>
> I'm looking for information on tightening security on the active
> directory.  I've found all kinds of server/workstation/iis security
> checklists on the MS security site, but only advertising hoopla when it
> comes to active directory.
>
> For example, a recent vulnerability scan reported the following hole in
> my test domain:
>
> LDAP NULL Base Returns Information:  If LDAP allows a NULL base in
> an LDAP search, a user can submit a search that returns information on
> naming contexts and supported controls.
>   -  Remedy: Set up an ACL to prevent users from dumping the base
> of the tree or issuing a request without knowing the base object.
>
>
> How can I go about implementing this "remedy"?
>
> TIA for any thoughts.

Next message: Joe Richards [MVP]: "Re: AD Delegation: Seeking guide to dssec.dat"
Previous message: Lynden Beesley: "blocking unwanted and unsolicited emails"
In reply to: klounsbury: "AD Security ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: anonymous LDAP access with 2003 server
... In the past windows 2000 gave the Everyone group Read access to the LDAP ... Anonymous Access has now been removed from the everyone group ... security policy, ... Domain controllers security ...
(microsoft.public.windows.server.active_directory)
Widnows Authentication
... I use windows authentication in my ASP.Net application. ... anonymous access for my web site in IIS. ... wherein i can enter the correct userid and ... How can I get the LDAP ...
(microsoft.public.dotnet.framework.aspnet)
Re: Widnows Authentication
... Not sure how that will work with LDAP server (never had that situation ... > I use windows authentication in my ASP.Net application. ... > anonymous access for my web site in IIS. ... > dialog box, wherein i can enter the correct userid and ...
(microsoft.public.dotnet.framework.aspnet)
[NT] Vulnerability in Active Directory Allows Code Execution (MS08-060)
... Get your security news from a reliable source. ... Vulnerability in Active Directory Allows Code Execution ... implementations of Active Directory on Microsoft Windows 2000 Server. ... not be listening to Lightweight Directory Access Protocol (LDAP) or LDAP ...
(Securiteam)
RE: LDAP + Active Directory
... Subject: LDAP + Active Directory ... LDAP uses an anonymous access for reading the tree, ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
(Pen-Test)