LDAP Null Base

Tutorials Win: Microsoft Windows Forum

Can you please suggest me how to resolve LDAP null base security
vulnarability reported by port scan?

http://xforce.iss.net/xforce/xfdb/1425
Top

Re: LDAP Null Base by michael

michael
Tue Jun 17 00:35:58 PDT 2008

stadala wrote:
> Can you please suggest me how to resolve LDAP null base security
> vulnarability reported by port scan?
>
> http://xforce.iss.net/xforce/xfdb/1425

They are talking about reading the root DSE as anonymous. IMHO that's a
bit overstated since if you already know the AD domain's DNS name you
also know the LDAP search base since it's simply the same name mapped
1:1 to dc-style distinguished name.

With other LDAP servers you can simply set ACLs to prevent this from
happen. But that's local security configuration. Don't know how to do
this with AD though.

Ciao, Michael.
Top

Re: LDAP Null Base by Jorge

Jorge
Tue Jun 17 02:41:42 PDT 2008

Hi
RootDSE has to allow anonymous so the client can negotiate, Authentication,
ldap protocol, partitions...

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Top

Re: LDAP Null Base by Joe

Joe
Tue Jun 17 07:48:14 PDT 2008

I thought the LDAP spec said that RootDSE should be able to be queried
anonymously? I agree that calling this a vulnerability is probably unfair.

MS doesn't allow you to change this behavior in AD. It would also likely
break many programs if you could do this.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Michael Ströder" <michael@stroeder.com> wrote in message
news:v36ki5-2cu.ln1@nb2.stroeder.com...
> stadala wrote:
>> Can you please suggest me how to resolve LDAP null base security
>> vulnarability reported by port scan?
>>
>> http://xforce.iss.net/xforce/xfdb/1425
>
> They are talking about reading the root DSE as anonymous. IMHO that's a
> bit overstated since if you already know the AD domain's DNS name you also
> know the LDAP search base since it's simply the same name mapped 1:1 to
> dc-style distinguished name.
>
> With other LDAP servers you can simply set ACLs to prevent this from
> happen. But that's local security configuration. Don't know how to do this
> with AD though.
>
> Ciao, Michael.


Top

Re: LDAP Null Base by stadala

stadala
Tue Jun 17 16:06:01 PDT 2008

Do you think we have a fix for this vulnarability from MS? I understand we
cannot but we are kind of struck at security review.

"Jorge Silva" wrote:

> Hi
> RootDSE has to allow anonymous so the client can negotiate, Authentication,
> ldap protocol, partitions...
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MCSE, MVP Directory Services
>
>
Top

Re: LDAP Null Base by Joe

Joe
Tue Jun 17 18:35:13 PDT 2008

As I said, this is not a security vulnerability, but is part of the LDAP
specification. You cannot fix this because it is not broken. It is a
misdiagnosis by the tool.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"stadala" <stadala@discussions.microsoft.com> wrote in message
news:7AE75C24-0B5E-4EE0-A2D7-EA8DCB58CB41@microsoft.com...
> Do you think we have a fix for this vulnarability from MS? I understand we
> cannot but we are kind of struck at security review.
>
> "Jorge Silva" wrote:
>
>> Hi
>> RootDSE has to allow anonymous so the client can negotiate,
>> Authentication,
>> ldap protocol, partitions...
>>
>> --
>> I hope that the information above helps you.
>> Have a Nice day.
>>
>> Jorge Silva
>> MCSE, MVP Directory Services
>>
>>


Top