Security issues with LDAP NULL base connections


Some third-party security assessment products may return a warning message after they scan a Microsoft Windows 2000-based domain controller. For example, the Internet Security Systems, Inc. RealSecure software may flag a Windows 2000 domain controller with a low-risk warning message and link to the following article for more information:


On Windows 2000 Active Directory servers, unauthenticated (NULL) connections are permitted to connect to root DSA-specific Entry (DSE). This is by design in order to comply with Request for Comment (RFC) 2251. Users can use these NULL connections users to enumerate potentially sensitive information from the domain naming context (NC) for that server. This includes password policy information for the domain.

Administrators can query their Active Directory servers by using any LDAP browser to determine what information can be obtained anonymously. For example, Administrators can use the LDP.EXE tool that is located on the Windows 2000 support tools CD.

For example, users might obtain the following information anonymously by using Windows 2000 default settings:
ld = ldap_open("localhost", 389);
Established connection to localhost.
Retrieving base DSA information...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn:
1> currentTime: 2/13/2004 11:28:36 Eastern Standard Time Eastern Daylight Time;
1> subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=Intranet,DC=com;
1> dsServiceName: CN=NTDS Settings,CN=INTRANET-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Intranet,DC=com;
3> namingContexts: CN=Schema,CN=Configuration,DC=Intranet,DC=com; CN=Configuration,DC=Intranet,DC=com; DC=Intranet,DC=com;
1> defaultNamingContext: DC=Intranet,DC=com;
1> schemaNamingContext: CN=Schema,CN=Configuration,DC=Intranet,DC=com;
1> configurationNamingContext: CN=Configuration,DC=Intranet,DC=com;
1> rootDomainNamingContext: DC=Intranet,DC=com;
16> supportedControl: 1.2.840.113556.1.4.319; 1.2.840.113556.1.4.801; 1.2.840.113556.1.4.473; 1.2.840.113556.1.4.528; 1.2.840.113556.1.4.417; 1.2.840.113556.1.4.619; 1.2.840.113556.1.4.841; 1.2.840.113556.1.4.529; 1.2.840.113556.1.4.805; 1.2.840.113556.1.4.521; 1.2.840.113556.1.4.970; 1.2.840.113556.1.4.1338; 1.2.840.113556.1.4.474; 1.2.840.113556.1.4.1339; 1.2.840.113556.1.4.1340; 1.2.840.113556.1.4.1413;
2> supportedLDAPVersion: 3; 2;
12> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxActiveQueries; MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MaxNotificationPerConn;
1> highestCommittedUSN: 14787;
2> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO;
1> dnsHostName:;
1> ldapServiceName:$@INTRANET.COM;
1> serverName: CN=INTRANET-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Intranet,DC=com;
2> supportedCapabilities: 1.2.840.113556.1.4.800; 1.2.840.113556.1.4.1791;
1> isSynchronized: TRUE;
1> isGlobalCatalogReady: TRUE;
This information is returned from the root DSE to comply with Request for Comment (RFC) 2251. For more information about RFC 2251, visit the following Web site:This information must be made available to all unauthenticated connections to comply with the RFC.

However, by default, unauthenticated users can obtain additional information from the domain naming container that could reveal sensitive information, such as password policies. For example, unauthenticated users might obtain the following information:
Expanding base 'DC=Intranet,DC=com'...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn: DC=Intranet,DC=com
1> masteredBy: CN=NTDS Settings,CN=INTRANET-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Intranet,DC=com;
1> auditingPolicy: <ldp: Binary blob>;
1> creationTime: 126751257238782576;
1> dc: Intranet;
1> forceLogoff: -9223372036854775808;
1> fSMORoleOwner: CN=NTDS Settings,CN=INTRANET-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Intranet,DC=com;
1> gPLink: [LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Intranet,DC=com;0];
1> instanceType: 5;
1> isCriticalSystemObject: TRUE;
1> lockOutObservationWindow: -18000000000;
1> lockoutDuration: -18000000000;
1> lockoutThreshold: 0;
1> maxPwdAge: -36288000000000;
1> minPwdAge: 0;
1> minPwdLength: 0;
1> modifiedCount: 103;
1> modifiedCountAtLastProm: 0;
1> ms-DS-MachineAccountQuota: 10;
1> nextRid: 1006;
1> nTMixedDomain: 1;
1> distinguishedName: DC=Intranet,DC=com;
1> objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=Intranet,DC=com;
3> objectClass: top; domain; domainDNS;
1> objectGUID: c2fab5da-00f8-4a3c-a188-32f11a1ed13e;
1> objectSid: S-15-7D0B1073-14D87EB2-6743F5A;
1> pwdHistoryLength: 1;
1> pwdProperties: 0;
1> name: Intranet;
1> rIDManagerReference: CN=RID Manager$,CN=System,DC=Intranet,DC=com;
1> serverState: 1;
1> subRefs: CN=Configuration,DC=Intranet,DC=com;
1> systemFlags: -1946157056;
1> uASCompat: 1;
1> uSNChanged: 11170;
1> uSNCreated: 1154;
7> wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=Intranet,DC=com; B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=Intranet,DC=com; B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=Intranet,DC=com; B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=Intranet,DC=com; B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers,DC=Intranet,DC=com; B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=Intranet,DC=com; B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=Intranet,DC=com;
1> whenChanged: 8/29/2002 17:57:24 Eastern Standard Time Eastern Daylight Time;
1> whenCreated: 8/29/2002 16:7:34 Eastern Standard Time Eastern Daylight Time;
To minimize the information that will be disclosed through unauthenticated connections on Windows 2000 domain controllers, you can enable the RestrictAnonymous registry setting with a value of 2. To do this, see the articles that are listed in the "References" section. This registry setting removes the Everyone SID from the unauthenticated network access token. This setting prevents NULL session access tokens from enumerating the domain naming context. You must restart your computer for this setting to take effect.

Note Microsoft does not support using RestrictAnonymous with a value of 2. This setting may cause serious problems, especially in mixed environments with earlier-version clients such as Windows NT 4.0 and earlier. See the "References" section for links to more articles about the RestrictAnonymous registry setting.
By default, Microsoft Windows Server 2003 includes security settings that prevent LDAP null base connections from enumerating information from the domain naming context anonymously.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

326690 Anonymous LDAP operations to Active Directory are disabled on Windows Server 2003 domain controllers

For additional information about the RestrictAnonymous registry value, click the following article numbers to view the articles in the Microsoft Knowledge Base:

296405 The "RestrictAnonymous" registry value may break the trust to a Windows 2000 domain

246261 How to use the RestrictAnonymous registry value in Windows 2000

823659 Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.


文書番号:837964 - 最終更新日: 2007/09/05 - リビジョン: 1