The remote LDAP server allows anonymous access

Posted on 2009-12-16
Last Modified: 2013-12-24
we got security vulnerabiity "The remote LDAP server allows anonymous access" in last PCI scan on all of our domain controllers, please help us to close this. We have all domain controllers running on windows server 2003 standard edition with SP 2.
Question by:pdixit1977
    LVL 42

    Expert Comment

    check if NULL BIND on your LDAP server is disabled:
    1. Launch ADSI Edit (part of support tools) and navigate to CN=Directory Service,CN=Windows NT,CN=Services
    2. Right click the "CN=Directory Services" container, choose "Properties" from the context menu and scroll down to the dsHeuristics attribute
    3. If the attribute is not set (has no value), fill in "0000002" in the value field. The last (seventh) character is the one that controls the way you can bind to LDAP service. "0" or no seventh character means that anonymous LDAP operations are disabled. Setting the seventh character to "2" permits anonymous operations (you are still subject to Access Control Lists of the objects in AD)


    Author Comment

    thanks dude, does this change have any drawback or prerequisites ?
    LVL 42

    Accepted Solution

    u should take under consideration that If this is AD domain controller then you could break your Active Directory in a very real way.  AD requires anonymous binds (also referred to as RootDSE queries) to allow authenticating clients to negotiate things like LDAP protocol, version to use, Authentication type, Default partition etc
    Your DCs need to be secured in other ways, obviously, using firewalls and IPSec and physical security but turning off null base queries isn't something you want to do.

    Author Comment

    ok, curious to know what an attacker/user can do maximum if NULL BIND/anonymous binds is open/enabled.

    Author Comment

    Also needs to know which LDAP version is being used in 2003.
    thanks in advance for your support dude.

    Author Comment

    hey expert,
    waiting for ur reply..
    LVL 6

    Expert Comment

    There is nothing in the ANY of the PCI specifications that says anonymous access is not allowed.

    LDAP often used anonymous as are most other discovery protocols. Asking to disable anonymous access is not different than asking to disable anonymous access to DNS, SLP, NTP, ARP, DHCP, etc. In fact we have done LDAP servers that provided DNS and DHCP information.

    Way too often the auditors half read, usually from some subscription service, and have no clue what the vulnerability implies and so to cover their butt, they add it to their "scan'.

    I would ask for further information as the the vulnerability and the risk that is implied.

    The effort should be in voiding the vulnerability not closing it.

    Author Closing Comment

    Very nice solution and technology information.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    This is a short article about OS X KeRanger, and what people can do to get rid of it.
    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    Video by: Steve
    Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now