LDAP-NullBase

[Marty Henderson]

I need to plug the LDAP-NullBase vulnerability. NOTE: This is an LDAP
specification problem and not a Microsoft specific hole.

For info about LDAP-NullBase see:
http://xforce.iss.net/xforce/xfdb/1425

I'm in search of two things...

How to set ACL to plug this on a Win2000 AD domain - and/or -
Other ways to plus the hole. (Patches or any other method)

Thanks in advance,

Marty Henderson

 

[Joe Richards [MVP]]

There is no current way to ACL the rootdse with AD.

Honestly, why do you feel you have a risk? What below do you not want people on your network to know?

F:\Downloads\FordVPN>adfind -b -s base

AdFind V01.12.00cpp Joe Richards ([email protected]) May 2003

Using server: w2kasdc1.joehome.com

dn:

currentTime: 20030927165812.0Z
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=joehome,DC=com
dsServiceName: CN=NTDS Settings,CN=W2KASDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=joehome,DC=com
namingContexts: CN=Schema,CN=Configuration,DC=joehome,DC=com
namingContexts: CN=Configuration,DC=joehome,DC=com
namingContexts: DC=joehome,DC=com
defaultNamingContext: DC=joehome,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=joehome,DC=com
configurationNamingContext: CN=Configuration,DC=joehome,DC=com
rootDomainNamingContext: DC=joehome,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxActiveQueries
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MaxNotificationPerConn
highestCommittedUSN: 1241438
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
dnsHostName: w2kasdc1.joehome.com
ldapServiceName: joehome.com:[email protected]
serverName: CN=W2KASDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=joehome,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1791
isSynchronized: TRUE
isGlobalCatalogReady: TRUE

1 Objects returned

F:\Downloads\FordVPN>