Anonymous Enumeration: a serious threat to Active Directory

Discussion in 'Computer Security' started by Eric Anderson, Nov 8, 2003.

  1. Hello

    I'm trying to test Windows 2003 security. I've set up an Active Directory
    and subjected it to non-firewalled access from internet to see how it would
    survive.
    Some policies i set up:

    Network access: Allow anonymous SID/Name translation Disabled
    Network access: Do not allow anonymous enumeration of SAM accounts
    Enabled
    Network access: Do not allow anonymous enumeration of SAM accounts and
    shares Enabled
    Network access: Let Everyone permissions apply to anonymous users
    Disabled
    Network access: Restrict anonymous access to Named Pipes and Shares
    Enabled


    BUT: to my shocking revolution I found out it could enumerate data from my
    active directory despite this.

    MY QUESTION: How can i protect my Active Directory from Anonymous
    Enumeration?

    The logentry is included:

    Event Type: Success Audit
    Event Source: Security
    Event Category: Directory Service Access
    Event ID: 565
    Date: 2003-11-08
    Time: 21:00:08
    User: NT AUTHORITY\ANONYMOUS LOGON
    Computer: <My Computer>
    Description:
    Object Open:
    Object Server: Security Account Manager
    Object Type: SAM_SERVER
    Object Name: CN=Server,CN=System,DC=<Mydomain>,DC=<MyD>,DC=<TLD>
    Handle ID: 51442368
    Operation ID: {0,1796199}
    Process ID: 572
    Process Name: C:\WINDOWS\system32\lsass.exe
    Primary User Name: SALLY$
    Primary Domain: <My Domain>
    Primary Logon ID: (0x0,0x3E7)
    Client User Name: ANONYMOUS LOGON
    Client Domain: NT AUTHORITY
    Client Logon ID: (0x0,0x1B6671)
    Accesses: READ_CONTROL
    InitializeServer
    EnumerateDomains
    Undefined Access (no effect) Bit 7

    Privileges: -

    Properties:
    ---
    samServer

    Access Mask: 0




    Regards
    Eric
    (Remove the fast cat to mail me!)
     
    Eric Anderson, Nov 8, 2003
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. PDannyD
    Replies:
    0
    Views:
    432
    PDannyD
    Jan 2, 2006
  2. John H Meyers
    Replies:
    1
    Views:
    429
    Roy L. Fuchs
    Jan 5, 2006
  3. David H. Lipman

    Common Malware Enumeration Initiative Now Available

    David H. Lipman, Oct 5, 2005, in forum: Computer Security
    Replies:
    7
    Views:
    492
    kurt wismer
    Oct 6, 2005
  4. =?Utf-8?B?SVQgU2Ft?=
    Replies:
    4
    Views:
    1,940
    Darrell Gorter[MSFT]
    Mar 7, 2007
  5. Replies:
    5
    Views:
    521
    Splibbilla
    Nov 28, 2007
Loading...

Share This Page