Guide to Microsoft Active Directory rootDSE/C-LDAP security issues

What is C-LDAP in Microsoft Active Directory services?

Active Directory (AD) is a directory service developed by Microsoft. Active Directory services include AD Certificate Services, AD Domain Services, AD Federation Services, AD Lightweight Directory Services, and AD Rights Management Services. A server running Active Directory Domain Services (AD DS) is called a domain controller.
Among other protocols, Active Directory uses LDAP (Lightweight Directory Access Protocol) on TCP port 389.
It also uses C-LDAP (Connection-less Lightweight Directory Access Protocol) on UDP port 389 for searches against the rootDSE entry.

What is AD rootDSE entry?

The rootDSE entry is created by default during Active Directory configuration, and can be queried by unauthenticated clients (also known as AD-Ping). This entry provides the configuration status of the server, and contains attributes that represent the features, capabilities, and extensions provided by the particular server.


Vulnerabilities:

If your Active Directory is exposed to the Internet, querying the rootDSE entry allows hackers to collect information about your server and AD configuration to perform information gathering and prepare an attack.

Also, since C-LDAP is based on UDP, the rootDSE query can be exploited to perform amplification attacks (the attacker can spoof his target IP address to saturate it with rootDSE replies):
https://www.us-cert.gov/ncas/alerts/TA14-017A

How to verify if your server is vulnerable?

Use the following command from a remote machine, as root, to collect the rootDSE information of  your Active Directory service:
# nmap -Pn -p 389 --script ldap-rootdse <Your-server-IP>

Output sample:

PORT    STATE SERVICE
389/tcp open  ldap
| ldap-rootdse:
| LDAP Results
|   <ROOT>
|       currentTime: 20170000115711.0Z
|       subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=ws2012,DC=ms
|       dsServiceName: CN=NTDS Settings,CN=SERVERNAME,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ws2012,DC=ms
|       namingContexts: DC=ws2012,DC=ms
|       namingContexts: CN=Configuration,DC=ws2012,DC=ms
|       namingContexts: CN=Schema,CN=Configuration,DC=ws2012,DC=ms
|       namingContexts: DC=DomainDnsZones,DC=ws2012,DC=ms
|       namingContexts: DC=ForestDnsZones,DC=ws2012,DC=ms
|       defaultNamingContext: DC=ws2012,DC=ms
|       schemaNamingContext: CN=Schema,CN=Configuration,DC=ws2012,DC=ms
|       configurationNamingContext: CN=Configuration,DC=ws2012,DC=ms
|       rootDomainNamingContext: DC=ws2012,DC=ms
|       supportedControl: supported.extension.OID.
|       supportedLDAPVersion: 3
|       supportedLDAPVersion: 2
|       supportedLDAPPolicies: MaxPoolThreads
|       supportedLDAPPolicies: MaxPercentDirSyncRequests
|       supportedLDAPPolicies: MaxDatagramRecv
|       supportedLDAPPolicies: MaxReceiveBuffer
|       supportedLDAPPolicies: InitRecvTimeout
|       supportedLDAPPolicies: MaxConnections
|       supportedLDAPPolicies: MaxConnIdleTime
|       supportedLDAPPolicies: MaxPageSize
|       supportedLDAPPolicies: MaxBatchReturnMessages
|       supportedLDAPPolicies: MaxQueryDuration
|       supportedLDAPPolicies: MaxTempTableSize
|       supportedLDAPPolicies: MaxResultSetSize
|       supportedLDAPPolicies: MinResultSets
|       supportedLDAPPolicies: MaxResultSetsPerConn
|       supportedLDAPPolicies: MaxNotificationPerConn
|       supportedLDAPPolicies: MaxValRange
|       supportedLDAPPolicies: MaxValRangeTransitive
|       supportedLDAPPolicies: ThreadMemoryLimit
|       supportedLDAPPolicies: SystemMemoryLimitPercent
|       highestCommittedUSN: 15800080
|       supportedSASLMechanisms: GSSAPI
|       supportedSASLMechanisms: GSS-SPNEGO
|       supportedSASLMechanisms: EXTERNAL
|       supportedSASLMechanisms: DIGEST-MD5
|       dnsHostName: SERVER.FQDN
|       ldapServiceName: SERVER.SPN
|       serverName: CN=SERVERNAME,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ws2012,DC=ms
|       supportedCapabilities: supported.capabilities.OID.
|       isSynchronized: TRUE
|       isGlobalCatalogReady: TRUE
|       domainFunctionality: 6
|       forestFunctionality: 6
|_      domainControllerFunctionality: 6


If the command returns a time-out, the service might already be filtered.


Resolution:

Active Directory Domain Services (AD DS) are designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose these services directly to the Internet or, in general, to an environment where untrusted clients can directly access these services.

Different options are available to mitigate this issue and protect your server:
 - Use your firewall to filter inbound connections to your server, and only allow the trusted network IPs/hosts that need to contact your AD DS to access it.
 - Design your AD DS infrastructure with a secure architecture. Depending on your needs, you should review if your architecture requires DirectAccess connectivity (VPN-like feature), or requires AD Federation Services (Web single-sign-on feature):
https://technet.microsoft.com/en-us/library/dd728034%28v=ws.10%29.aspx

Additional best practices for securing active directory:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory

Additional information for designing your AD DS infrastructure:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/ad-ds-design-and-planning

External references:

https://technet.microsoft.com/en-us/library/dd578336%28v=ws.10%29.aspx
https://technet.microsoft.com/en-us/library/dn283324%28v=ws.11%29.aspx
https://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx
https://msdn.microsoft.com/en-us/library/cc717362.aspx
https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_29942b69-e0ed-4fe7-bbbf-1a6a3f9eeeb6
https://msdn.microsoft.com/en-us/library/ms684291%28v=vs.85%29.aspx
https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf
https://www.us-cert.gov/ncas/alerts/TA14-017A
https://technet.microsoft.com/en-us/library/dd728034%28v=ws.10%29.aspx
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/ad-ds-design-and-planning

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk