<br><font size=2 face="sans-serif">I did some research on the issue and
the information for me was inconclusive --</font>
<br>
<br><font size=2 face="sans-serif">I found this post: http://www.derkeiler.com/Newsgroups/microsoft.public.win2000.security/2005-10/0239.html</font>
<br>
<br><font size=2 face="sans-serif">Date: Wed, 19 Oct 2005 12:07:35 -0400</font>
<br>
<br><font size=2 face="sans-serif">You can't disable anonymous/NULL bind.
LDAP V3 requires it for the rootdse. </font>
<br><font size=2 face="sans-serif">However, a null bind doesn't necessarily
give you access to domain or config </font>
<br><font size=2 face="sans-serif">data. In fact, if you are running Windows
Server 2003 AD you have to </font>
<br><font size=2 face="sans-serif">specifically enable anonymous access
on the ACLs to retrieve data</font>
<br>
<br><font size=2 face="sans-serif">Here's a kb article about anonymous
ldap operations:</font>
<br><font size=2 face="sans-serif">http://support.microsoft.com/kb/326690</font>
<br><font size=2 face="sans-serif">Anonymous LDAP operations to Active
Directory are disabled on Windows Server 2003 domain controllers</font>
<br>
<br><font size=2 face="sans-serif">SUMMARY</font>
<br><font size=2 face="sans-serif">By default, anonymous Lightweight Directory
Access Protocol (LDAP) operations to Active Directory, other than rootDSE
searches and binds, are not permitted in Microsoft Windows Server 2003.
</font>
<br>
<br><font size=2 face="sans-serif">There's another nice article here:</font>
<br><font size=2 face="sans-serif">http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm</font>
<br>
<br><font size=2 face="sans-serif">Based on that information, I'm not convinced
it's a great concern on Win2k3. I would be interested in the impact
of disabling it, per the information provided. I'm a bit concerned
about the possible fallout from a change.</font>
<br>
<br><font size=2 face="sans-serif">Thanks,</font>
<br>
<br><font size=2 face="sans-serif">Mike</font>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>"George A. Theall"
<theall@tenablesecurity.com></b> </font>
<br><font size=1 face="sans-serif">Sent by: nessus-bounces@list.nessus.org</font>
<p><font size=1 face="sans-serif">11/13/2007 07:52 PM</font>
<td width=59%>
<table width=100%>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td><font size=1 face="sans-serif">nessus@list.nessus.org</font>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td><font size=1 face="sans-serif">Re: LDAP allows anonymous binds</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=2><tt>On 11/13/07 12:30, PJ Bender wrote:<br>
<br>
> When Nessus was run against our two Domain Controllers, we
received <br>
> the following report:<br>
> <br>
> *Synopsis*: It is possible to disclose LDAP information.<br>
...<br>
> *Solution*: Disable NULL BIND on your LDAP server<br>
...<br>
> I don’t think it is this problem.<br>
<br>
FWIW, the plugin actually tries to query a server without authenticating
<br>
(ie, a "NULL BIND") and checks for a response. So it might be
useful to <br>
capture packets to/from the affected LDAP services and see what is being
<br>
returned.<br>
<br>
> Can someone let me know where I can go to find a method(s) to disable
<br>
> the null bind on my Windows 2003 LDAP server(s)?<br>
<br>
Have you searched Microsoft's site? For example: check out the <br>
discussion of "dsHeuristics" in:<br>
<br>
http://support.microsoft.com/kb/326690/<br>
<br>
George<br>
-- <br>
theall@tenablesecurity.com<br>
_______________________________________________<br>
Nessus mailing list<br>
Nessus@list.nessus.org<br>
http://mail.nessus.org/mailman/listinfo/nessus<br>
</tt></font>
<br>