No announcement yet.

LDAP allows anonymous binds

  • Filter
  • Time
  • Show
Clear All
new posts

  • LDAP allows anonymous binds

    We ran a security scan on our servers and got the following security violation in Windows 2000 Servers. The servers are domain controllers and DNS servers and are not Exchange servers. Because the solution which I found in one of the location talks about MS99-09, which is not in my case.

    The error is as follows:

    "LDAP allows anonymous binds"

    What can be done to get this error fixed. I saw another article where it talks about the following "Anonymous LDAP Operations in Windows 2003 AD", but this is Windows 2000 Server. So, any thoughts or ideas kindly appreciated and thanks for your response in advance.
    Last edited by jkfranci; 9th September 2005, 17:13. Reason: addition of text

  • #2
    Re: LDAP allows anonymous binds

    Someone actually reads this stuff ?
    In any case, I am quite sure that this can not be done in W2K AD. Yet, you should notice that though you can bind anonymously to AD, you are still subject to ACLs on the objects and when binding as Anonymous, the only way to get access to data is either via Everyone group which has Guest account or via explicit ACL with "Anonymous Logon" security principal.

    The first is subject to the AD being in mixed mode where "Pre Windows 2000" group includes Everyone group.
    The second can will be there only if you explicitly granted "Anonymous Logon" access to some objects in AD.

    The only implication of anon binds being enabled that I can think of is the ability of attacker to try to enumerate the AD structure by trying to bind to various DNs and on the basis of the error code to determine whether the DN exists (access denied) or not or just try to DoS the AD with a lot of anon LDAP binds. Each session will chew up some DCs memory, which will be allocated for the session.

    btw, RootDSE (you might compare it to LDAP's tree root) will always need to be able to be queried anonymously, as it contains information about the LDAP server itself, options it supports and the ways you can authenticate against it.
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"