disallowing "null base" in W2K LDAP search?

disallowing "null base" in W2K LDAP search?

Post by brew » Thu, 22 Jan 2004 05:25:40

Our network scans are indicating that an LDAP search on our domain controller
gives information when a "null base" is used. Can anyone tell me if it's
possible to disallow this in the LDAP service of a w2k domain controller? I
haven't been able to find any specific info about this possibility.
dale brewe

1. Closing form based on null or Opening a form based on Not Null

2. Get rid of LDAP Null Base vulnerability

Our Security Department ran a vulnerability tool and it found something about
null base searches, here's the full description:

"A user can obtain directory listings if LDAP allows a NULL base in an LDAP
If LDAP allows a NULL base in an LDAP search, a user can run a search that
information on "namingContexts" and "supported controls".
An attacker can use this information for malicious activity such as
accessing directory listings."

The solution points to use an ACL in order to prevent this kind of request.

Does anybody knows how to prevent Null base searches?

3. LDAP + can I use ctx.search("", "objectClass=*",null); to get configuration and domain context?

4. LDAP Search Base

5. LDAP routing search based on domain of email address

6. LDAP Search base

7. Address list LDAP search alternative BASE

8. LDAP Address & Search Base

9. Query Based Distribution Group/LDAP Search

10. LDAP Search Base

11. LDAP search base

12. LDAP searches based on last name?

13. Setting the right LDAP search base in Entourage

14. LDAP Directory "search base" syntax...

15. Null values in multiple search criteria query based on form