I did some research on the issue and the information for me was inconclusive --
I found this post: http://www.derkeiler.com/Newsgroups/microsoft.public.win2000.security/2005-10/0239.html Date: Wed, 19 Oct 2005 12:07:35 -0400 You can't disable anonymous/NULL bind. LDAP V3 requires it for the rootdse. However, a null bind doesn't necessarily give you access to domain or config data. In fact, if you are running Windows Server 2003 AD you have to specifically enable anonymous access on the ACLs to retrieve data Here's a kb article about anonymous ldap operations: http://support.microsoft.com/kb/326690 Anonymous LDAP operations to Active Directory are disabled on Windows Server 2003 domain controllers SUMMARY By default, anonymous Lightweight Directory Access Protocol (LDAP) operations to Active Directory, other than rootDSE searches and binds, are not permitted in Microsoft Windows Server 2003. There's another nice article here: http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm Based on that information, I'm not convinced it's a great concern on Win2k3. I would be interested in the impact of disabling it, per the information provided. I'm a bit concerned about the possible fallout from a change. Thanks, Mike "George A. Theall" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 11/13/2007 07:52 PM To [email protected] cc Subject Re: LDAP allows anonymous binds On 11/13/07 12:30, PJ Bender wrote: > When Nessus was run against our two Domain Controllers, we received > the following report: > > *Synopsis*: It is possible to disclose LDAP information. ... > *Solution*: Disable NULL BIND on your LDAP server ... > I don?t think it is this problem. FWIW, the plugin actually tries to query a server without authenticating (ie, a "NULL BIND") and checks for a response. So it might be useful to capture packets to/from the affected LDAP services and see what is being returned. > Can someone let me know where I can go to find a method(s) to disable > the null bind on my Windows 2003 LDAP server(s)? Have you searched Microsoft's site? For example: check out the discussion of "dsHeuristics" in: http://support.microsoft.com/kb/326690/ George -- [EMAIL PROTECTED] _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
