LDAP-NullBase

M

Marty Henderson

I need to plug the LDAP-NullBase vulnerability. NOTE: This is an LDAP
specification problem and not a Microsoft specific hole.

For info about LDAP-NullBase see:
http://xforce.iss.net/xforce/xfdb/1425

I'm in search of two things...

How to set ACL to plug this on a Win2000 AD domain - and/or -
Other ways to plus the hole. (Patches or any other method)

Thanks in advance,

Marty Henderson
 
J

Joe Richards [MVP]

There is no current way to ACL the rootdse with AD.

Honestly, why do you feel you have a risk? What below do you not want people on your network to know?

F:\Downloads\FordVPN>adfind -b -s base

AdFind V01.12.00cpp Joe Richards ([email protected]) May 2003

Using server: w2kasdc1.joehome.com

dn:
currentTime: 20030927165812.0Z
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=joehome,DC=com
dsServiceName: CN=NTDS Settings,CN=W2KASDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=joehome,DC=com
namingContexts: CN=Schema,CN=Configuration,DC=joehome,DC=com
namingContexts: CN=Configuration,DC=joehome,DC=com
namingContexts: DC=joehome,DC=com
defaultNamingContext: DC=joehome,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=joehome,DC=com
configurationNamingContext: CN=Configuration,DC=joehome,DC=com
rootDomainNamingContext: DC=joehome,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxActiveQueries
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MaxNotificationPerConn
highestCommittedUSN: 1241438
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
dnsHostName: w2kasdc1.joehome.com
ldapServiceName: joehome.com:[email protected]
serverName: CN=W2KASDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=joehome,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1791
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
Click to expand...


1 Objects returned

F:\Downloads\FordVPN>
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

LDAP-NullBase Anonymous Access 2
LDAP Query for "memberof" Attribute 1
GPO not applied - migration from ldap to AD 4
Download.ject - commentary - LONG 4
GPO update issue, \\domain.net\sysvol not accesible 4
LDAP / DirectoryEntry.Bind problems 1
New free joeware tool.... AdMod - sister to AdFind - Modify AD, Delete,Rename, Undelete 0
Need help with GridView and LDAP/GC 2

Top