Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Security issues with LDAP NULL base connections
Article ID: 837964 - View products that this article applies to.
Some third-party security assessment products may return a warning message after they scan a Microsoft Windows 2000-based domain controller. For example, the Internet Security Systems, Inc. RealSecure software may flag a Windows 2000 domain controller with a low-risk warning message and link to the following article for more information:
On Windows 2000 Active Directory servers, unauthenticated (NULL) connections are permitted to connect to root DSA-specific Entry (DSE). This is by design in order to comply with Request for Comment (RFC) 2251. Users can use these NULL connections users to enumerate potentially sensitive information from the domain naming context (NC) for that server. This includes password policy information for the domain.
Administrators can query their Active Directory servers by using any LDAP browser to determine what information can be obtained anonymously. For example, Administrators can use the LDP.EXE tool that is located on the Windows 2000 support tools CD.
For example, users might obtain the following information anonymously by using Windows 2000 default settings:
This information is returned from the root DSE to comply with Request for Comment (RFC) 2251. For more information about RFC 2251, visit the following Web site:
http://www.cse.ohio-state.edu/cgi-bin/rfc/rfc2251.htmlThis information must be made available to all unauthenticated connections to comply with the RFC.
However, by default, unauthenticated users can obtain additional information from the domain naming container that could reveal sensitive information, such as password policies. For example, unauthenticated users might obtain the following information:
To minimize the information that will be disclosed through unauthenticated connections on Windows 2000 domain controllers, you can enable the RestrictAnonymous registry setting with a value of 2. To do this, see the articles that are listed in the "References" section. This registry setting removes the Everyone SID from the unauthenticated network access token. This setting prevents NULL session access tokens from enumerating the domain naming context. You must restart your computer for this setting to take effect.
Note Microsoft does not support using RestrictAnonymous with a value of 2. This setting may cause serious problems, especially in mixed environments with earlier-version clients such as Windows NT 4.0 and earlier. See the "References" section for links to more articles about the RestrictAnonymous registry setting.
By default, Microsoft Windows Server 2003 includes security settings that prevent LDAP null base connections from enumerating information from the domain naming context anonymously.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/326690/ )Anonymous LDAP operations to Active Directory are disabled on Windows Server 2003 domain controllers
For additional information about the RestrictAnonymous registry value, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/296405/ )The "RestrictAnonymous" registry value may break the trust to a Windows 2000 domain
(http://support.microsoft.com/kb/246261/ )How to use the RestrictAnonymous registry value in Windows 2000
(http://support.microsoft.com/kb/823659/ )Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.