[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2019
  • Last Modified:

The remote LDAP server allows anonymous access

Hi,
we got security vulnerabiity "The remote LDAP server allows anonymous access" in last PCI scan on all of our domain controllers, please help us to close this. We have all domain controllers running on windows server 2003 standard edition with SP 2.
0
pdixit1977
Asked:
pdixit1977
  • 5
  • 2
1 Solution
 
Meir RivkinFull stack Software EngineerCommented:
check if NULL BIND on your LDAP server is disabled:
1. Launch ADSI Edit (part of support tools) and navigate to CN=Directory Service,CN=Windows NT,CN=Services
2. Right click the "CN=Directory Services" container, choose "Properties" from the context menu and scroll down to the dsHeuristics attribute
3. If the attribute is not set (has no value), fill in "0000002" in the value field. The last (seventh) character is the one that controls the way you can bind to LDAP service. "0" or no seventh character means that anonymous LDAP operations are disabled. Setting the seventh character to "2" permits anonymous operations (you are still subject to Access Control Lists of the objects in AD)

screenShot.jpg
0
 
pdixit1977Author Commented:
thanks dude, does this change have any drawback or prerequisites ?
0
 
Meir RivkinFull stack Software EngineerCommented:
u should take under consideration that If this is AD domain controller then you could break your Active Directory in a very real way.  AD requires anonymous binds (also referred to as RootDSE queries) to allow authenticating clients to negotiate things like LDAP protocol, version to use, Authentication type, Default partition etc
Your DCs need to be secured in other ways, obviously, using firewalls and IPSec and physical security but turning off null base queries isn't something you want to do.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
pdixit1977Author Commented:
ok, curious to know what an attacker/user can do maximum if NULL BIND/anonymous binds is open/enabled.
0
 
pdixit1977Author Commented:
Also needs to know which LDAP version is being used in 2003.
thanks in advance for your support dude.
0
 
pdixit1977Author Commented:
hey expert,
waiting for ur reply..
0
 
jwillekeCommented:
There is nothing in the ANY of the PCI specifications that says anonymous access is not allowed.

LDAP often used anonymous as are most other discovery protocols. Asking to disable anonymous access is not different than asking to disable anonymous access to DNS, SLP, NTP, ARP, DHCP, etc. In fact we have done LDAP servers that provided DNS and DHCP information.

Way too often the auditors half read, usually from some subscription service, and have no clue what the vulnerability implies and so to cover their butt, they add it to their "scan'.

I would ask for further information as the the vulnerability and the risk that is implied.

The effort should be in voiding the vulnerability not closing it.
-jim
0
 
pdixit1977Author Commented:
Very nice solution and technology information.
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now