| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-243503 | CAT II | MONT-DC-003 | Active Directory Forest Security Technic... | Anonymous Access to AD forest data above the rootD... | - | |||
Check Text1. At the command line prompt enter (on a single line): dsquery * "cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -scope base -attr * (Where dc=[forest-name] is the fully qualified LDAP name of the root of the domain being reviewed.) Example: The following is an example of the dsquery command for the vcfn.ost.com forest. dsquery * "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, dc=vcfn,dc=ost,dc=com -scope base -attr * 2. If the dsHeuristics attribute is listed, note the assigned value. 3. If the dsHeuristics attribute is defined and has a "2" as the 7th character, then this is a finding. Examples of values that would be a finding as follows: "0000002", "0010002", "0000002000001". (The 7th character controls anonymous access.) Supplementary Notes: Domain controllers have this option disabled by default. However, this check verifies that the option has not been enabled. The dsHeuristics option can be configured with the Windows Support Tools Active Directory Service Interfaces Editor (ADSI Edit) console (adsiedit.msc). Fix TextDisable anonymous access to AD forest data above the rootDSE level. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-ActiveDirectoryForest_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 26BEA1DC84262B8BF520677BDD9DEEBFD409D6A3 ~~~~~ 'dsHeuristics' is not configured.
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_ADForest_V3R2_20251023-171845.ckl
Scan Date: 2026-01-14T12:57:36.607366
Technology Area: Domain Name System
|
||||||||