Solved

Setup ACL for LDAP Null Base on Windows 2000

Posted on 2002-07-25
2
190 Views
Last Modified: 2013-12-19
I ran ISS on one of my servers and got the following:

LDAP NullBase: LDAP null base returns information
If LDAP allows NULL base in an LDAP search, a user can submit a search that returns information on namingContexts and supported controls.  An attacker could use this information to access directory listings and plan further attacks.

Remedy:  Set up an access list control to prevent users from dumping the base of the tree or issuing a request without knowing the base object.

My question is where and how do I do this and will it adversely affect my clients (they are 98 & 2000).

Thanks.

Please also see my question regarding inverse queries on 2k dns.
0
Comment
Question by:robinsonbpc
2 Comments
 
LVL 11

Accepted Solution

by:
geoffryn earned 200 total points
ID: 7177420
This vulnerablity exists if your AD is in Mixed mode.  Downlevel clients (Win 9x, NT 4.0) need to be able to make AD/LDAP queries as null/anonymous.  
0
 
LVL 1

Author Comment

by:robinsonbpc
ID: 7193612
Thank you for your help.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question