Vulnerability V-243503

1. At the command line prompt enter (on a single line): dsquery * "cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -scope base -attr * (Where dc=[forest-name] is the fully qualified LDAP name of the root of the domain being reviewed.) Example: The following is an example of the dsquery command for the vcfn.ost.com forest. dsquery * "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, dc=vcfn,dc=ost,dc=com -scope base -attr * 2. If the dsHeuristics attribute is listed, note the assigned value. 3. If the dsHeuristics attribute is defined and has a "2" as the 7th character, then this is a finding. Examples of values that would be a finding as follows: "0000002", "0010002", "0000002000001". (The 7th character controls anonymous access.) Supplementary Notes: Domain controllers have this option disabled by default. However, this check verifies that the option has not been enabled. The dsHeuristics option can be configured with the Windows Support Tools Active Directory Service Interfaces Editor (ADSI Edit) console (adsiedit.msc).

Disable anonymous access to AD forest data above the rootDSE level.