STIGQter: STIG Summary: Microsoft Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide Version: 3 Release: 2 Benchmark Date: 04 May 2021:

Anonymous access to the root DSE of a non-public directory must be disabled.

DISA Rule

SV-226081r569184_rule

Vulnerability Number

V-226081

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

WN12-AD-000012-DC

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Implement network protections to reduce the risk of anonymous access.

Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions.

Premise firewall or host restrictions prevent access to ports 389, 636, 3268, and 3269 from client hosts not explicitly identified by domain (.mil) or IP address.

Severity Override Guidance: The following network controls allow the finding severity to be downgraded to not a finding since these measures lower the risk associated with anonymous access.

Check Contents

At this time, this is a finding for all Windows domain controllers for sensitive or classified levels as Windows Active Directory Domain Services (AD DS) does not provide a method to restrict anonymous access to the root DSE on domain controllers.

The following can be used to verify anonymous access is allowed.

Open a command prompt (not elevated).
Run "ldp.exe".
From the Connection menu, select Bind.
Clear the User, Password, and Domain fields.
Select Simple bind for the Bind type, Click OK.

RootDSE attributes should display, such as various namingContexts.

Confirmation of anonymous access will be displayed at the end:
res = ldap_simple_bind_s
Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'

Vulnerability Number

V-226081

Documentable

False

Rule Version

WN12-AD-000012-DC

Severity Override Guidance

At this time, this is a finding for all Windows domain controllers for sensitive or classified levels as Windows Active Directory Domain Services (AD DS) does not provide a method to restrict anonymous access to the root DSE on domain controllers.

The following can be used to verify anonymous access is allowed.

Open a command prompt (not elevated).
Run "ldp.exe".
From the Connection menu, select Bind.
Clear the User, Password, and Domain fields.
Select Simple bind for the Bind type, Click OK.

RootDSE attributes should display, such as various namingContexts.

Confirmation of anonymous access will be displayed at the end:
res = ldap_simple_bind_s
Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'

Check Content Reference

M

Target Key

4217

Comments