Announcement

Collapse
No announcement yet.

Disable LDAP NULL BASE

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Disable LDAP NULL BASE

    Security scanner found, that my Domain Controller on win 2003 have vuln. - NULL BASE through LDAP. With that, everyone can get sensivity informations.
    I googled, & don't find, how to disable it ?

  • #2
    which scanner are you using?
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      A google on the groups brought this up...:

      http://groups.google.co.uk/groups?hl...6btnG%3DSearch

      Any good?
      Server 2000 MCP
      Development: ASP, ASP.Net, PHP, VB, VB.Net, MySQL, MSSQL - Check out my blog http://tonyyeb.blogspot.com

      ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

      Comment


      • #4
        >>which scanner are you using?
        Xspider 7.0

        2 tonyyeb :
        Thanks for link, but i du not understand, how to disable LDAP anonymous bind.
        You see, i have Windows 2003 ENT & microsoft says, that in Windwos 2003, anonymous LDAP bind disable by default
        But scanner again & again create anonymous LDAP query & get information from my domain

        Comment


        • #5
          What you are probably seeing is the RootDSE. This is public info, almost by definition. RootDSE is allowed even with anonymous binds.

          Comment


          • #6
            Read the first part of my mummbling here:
            http://www.netguru.co.il/guy/docs/An...ws_2003_AD.doc

            You are talking about RootDSE and it HAS to have anonymous access to allow the client negotiate things as:
            - LDAP protocol version to use
            - Authentication type
            - Default partition
            - etc
            Guy Teverovsky
            "Smith & Wesson - the original point and click interface"

            Comment


            • #7
              Thank you "Guy (Antid0t)"
              it's really good paper

              Comment

              Working...
              X