From: Kyle Quest (Kyle.Quest@networkengines.com)
Date: Sat Feb 04 2006 - 17:16:54 EST
A small addition...
This behaviour is initially deturmined during
Domain Controller installation. When you run dcpromo
you get to configure this option on the Permissions page
where you can select either
"Permissions compatible with pre-Windows 2000 servers"
or "Permissions compatible only with WIndows 2000 servers."/
"Permissions compatible only with Windows 2000 or
Windows Server 2003 operating systems" (on 2003).
By default, the second option is selected on 2003, which doesn't
allow anonymous LDAP operations other than reading the RootDSE
container, which is required for LDAP v3 compatibility.
So the buttom line is that unless your DC is a windows 2000 machine
that wasn't explicitly set to disallow anonymous read access to AD
or your DC is a windows 2003 that was explicitly set to allow
anonymous read access to AD you are out of luck and you have to
resort to various tricks (already mentioned in at least one of the
replies).
If you are paranoid the easiest way to check is to use the LDP.EXE
utility, which is one of the support tools (downloadable from microsoft.com).
Run it, Bind with the user name and password fields set to nothing
(and uncheck the domain checkbox) and in advanced setting choose
Simple Function Type. This will show you the RootDSE container.
After that choose Tree View and select any of the available containers.
If anonymous access is not allowed you'll see "No children" if you
try to expand your selected container tree and in the main windows
you'll see a message like this:
"res = ldap_simple_bind_s(ld, 'NULL', <unavailable>); // v.3
Authenticated as dn:'NULL'.
Expanding base 'CN=Configuration,DC=yyyyyy,DC=xxxxx,DC=com'...
Error: Search: Operations Error. <1>
Result <1>: 00000000: LdapErr: DSID-0C0905FF, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece
Matched DNs:
Getting 0 entries:"
Kyle
-----Original Message-----
From: Free, Bob [mailto:RWF4@pge.com]
Sent: Friday, January 27, 2006 4:44 PM
To: Sam Evans; ilaiy
Cc: Frederic Charpentier; pen-test@securityfocus.com; Uno Mille
Subject: RE: Active Directory user enumeration
The default behavior was changed in 2003. 2000 generally allowed
anonymous connections and then the results were based on the individual
objects' permissions. By default, anonymous LDAP operations, except
rootDSE searches and binds, are not permitted on Windows 2003 domain
controllers, any other query will result in domain controller requesting
authenticated bind to LDAP.
Anonymous LDAP operations to Active Directory are disabled on Windows
Server 2003 domain controllers:
http://support.microsoft.com/?kbid=326690
hth
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:26 EDT