Solved

Disable NULL BASE queries on LDAP server

Posted on 2009-04-02
7
5,852 Views
Last Modified: 2013-12-04
Hello

A recent network scan has identified this potential vulnerability. I realise that it may not be an actual vulnerability (which would depend on access lists), but the fact is that this is an e-commerce server and we are required to get a "clean" network scan so this "problem" must be fixed.

The machine is standalone SBS 2003 SP2 running IIS 6 without SQL server or exchange. Basically it is just a webserver.

This problem did not exist on our last scan 3 months ago and there have been no configuration changes that I am aware of. Also, I have checked this
http://support.microsoft.com/kb/837964
In particular, the RestrictAnonymous registry setting is already set to 2 here
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

I have also verified that the dsHeuristics attribute is not defined on the DN path as follows:
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,Root domain in forest

Any help or advice would be much appreciated.

Thanks
LR
0
Comment
Question by:longrob604
  • 3
  • 3
7 Comments
 
LVL 6

Expert Comment

by:matt_beatt
ID: 24055868
I dont think you want to be doing that im afraid!  I take it this servers is running as a DC and web server - correct?

My understanding of LDAP in an AD environment is that the RootDSE query is anonymous and is a requirement for Clients to be able to obtain certain vital information about the LDAP directory.  RootDSE query is where Base="" ie: Null Base Search.  If you dont have this, AD wont work and therefore neither will anything you have reliant on AD!
0
 

Author Comment

by:longrob604
ID: 24056046
Hi Matt

Thanks for your message.  There are no clients, since this is a standalone webserver. We never had this problem with null base queries before, and as mentioned, accoriding to the KB we have it disabled already ! Yet the network scan shows otherwise. We had a seperate network scan from a another company just to make sure, and that also gave the same result. Also, this is a *requirement* for anyserver that needs to be PCI compliant and that would basically be any e-commerce servier, so this must be a very common problem, but the only solutions I can find to it do not apply to our situation.

Thanks again
LR
0
 
LVL 6

Expert Comment

by:matt_beatt
ID: 24057318
I think the key thing to note that it doesnt completely Disable Null base queries it only minimizes the information that it provides.   Run LDP from a laptop or other none domain machine and connect to your server and you'll see that you still get domain information.  Perhaps if you look thru that and find out specifically what the network scan is complaining about.  Whether its a piece of specific information or just the fact the a null connect is givinig out information at all
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:longrob604
ID: 24057406
Hi Matt

Thanks again. This is specifically what the network scan is complaining about. They don't give any more information

Remedial action: Disable NULL BASE queries on your LDAP server. This issue is only
applicable on internet-facing hosts.
******************************
LDAP Null Base
Improperly configured LDAP servers will allow the directory BASE to
be set to NULL. This allows information to be culled without any prior
knowledge of the directory structure. Coupled with a NULL BIND, an
anonymous user can query your LDAP server using a tool such as
'LdapMiner'. If this is an internal scan, and the system is a Windows
Active Directory server, this is normal behavior and there is nothing to
do.
************************
and
***********************
LDAP Bind Overflow
Improperly configured LDAP servers will allow any user to connect to
the server and query for information.
Remedial action: Disable NULL BIND on your LDAP server
***********************

BTW, It is not an internal scan - they have done this scan from the internet.

Thanks in adavce
LR
0
 
LVL 6

Accepted Solution

by:
matt_beatt earned 500 total points
ID: 24057428
Why do you need to have access to this server from the internet on port 389/tcp?  If you lock your firewall down so that access via the internet was not available then you wouldnt get this error
0
 

Author Comment

by:longrob604
ID: 24057636
Hi again Matt. That may be a great solution. I will investigate !
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Auto-Enrollment Group Policy 2 43
Assess most serious Linux privilege escalation bug 17 149
server DNS address could not be found 22 131
Compromised PC? 17 173
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now