1. Introduction
The vulnerability “AD Starter Scan – Null sessions” occurs when the Everyone group has read permissions on Active Directory objects, allowing unauthenticated users to access sensitive configuration data. This can allow attackers to discover targets and potentially carry out brute-force attacks against the domain. Confidentiality is most at risk, with potential impacts to integrity if attackers gain further access. This affects smaller Active Directory deployments (up to 5000 users/groups/machines).
2. Technical Explanation
When Active Directory was first released, a compatibility feature allowed older systems to read domain data. This used the ‘Pre-Windows 2000 Compatible Access’ group, which by default includes the Everyone identity. An attacker can exploit this by querying Active Directory without authentication to gather information about users, groups and machines.
- Root cause: The Everyone group is a member of the Pre-Windows 2000 Compatible Access group with read permissions on domain objects.
- Exploit mechanism: An attacker uses tools like Nmap or other LDAP query tools to enumerate Active Directory data without providing credentials.
- Scope: This affects Active Directory domains where the default configuration has not been changed, typically smaller deployments up to 5000 users/groups/machines.
3. Detection and Assessment
You can confirm this vulnerability by checking group membership in Active Directory Users and Computers or using command-line tools. Scanning tools like Nessus also identify this issue.
- Quick checks: Open Active Directory Users and Computers, navigate to the ‘Pre-Windows 2000 Compatible Access’ group properties, and check if “Everyone” is a member.
- Scanning: Nessus plugin ID 16389 can detect this vulnerability.
- Logs and evidence: Security event logs may show LDAP queries from anonymous sources. Look for Event ID 4768 (A Kerberos authentication ticket was requested).
dsquery group -name "Pre-Windows 2000 Compatible Access" | dsget group -member4. Solution / Remediation Steps
Remove the Anonymous and Everyone identities from the Pre-Windows 2000 Compatible Access group to prevent unauthenticated access to Active Directory data.
4.1 Preparation
- No services need to be stopped for this change.
- Roll back: Add the Anonymous and Everyone identities back to the group if needed. A change window may be required depending on your organisation’s policies.
4.2 Implementation
- Step 1: Open Active Directory Users and Computers.
- Step 2: Navigate to the ‘Pre-Windows 2000 Compatible Access’ group.
- Step 3: Remove the “ANONYMOUS” identity from the members list.
- Step 4: Remove the “EVERYONE” identity from the members list.
4.3 Config or Code Example
Before
Members: ANONYMOUS, EVERYONEAfter
Members: (empty)4.4 Security Practices Relevant to This Vulnerability
Least privilege is the most relevant practice here. By removing unnecessary permissions from default groups, you reduce the attack surface and limit potential damage from exploitation.
- Practice 1: Least privilege – only grant users and groups the minimum necessary permissions to perform their tasks.
4.5 Automation (Optional)
#Requires -RunAsAdministrator
$groupName = "Pre-Windows 2000 Compatible Access"
$group = Get-ADGroup $groupName -Properties Members
if ($group.Members -contains "S-1-5-7") {
Remove-ADGroupMember -Identity $groupName -Members "S-1-5-7" -Confirm:$false
}
if ($group.Members -contains "S-1-1-0") {
Remove-ADGroupMember -Identity $groupName -Members "S-1-1-0" -Confirm:$false
}5. Verification / Validation
Verify the fix by checking group membership again and attempting to query Active Directory anonymously.
- Post-fix check: Open Active Directory Users and Computers, navigate to ‘Pre-Windows 2000 Compatible Access’, and confirm that “Everyone” is no longer a member.
- Re-test: Run the `dsquery group` command from section 3 and verify it returns no results for ANONYMOUS or EVERYONE.
- Smoke test: Verify users can still log in to Active Directory as normal.
- Monitoring: Monitor security event logs for failed LDAP queries, which may indicate an attempted exploit.
dsquery group -name "Pre-Windows 2000 Compatible Access" | dsget group -member6. Preventive Measures and Monitoring
Regular security baselines and policy reviews can prevent this issue by ensuring default configurations are secure.
- Baselines: Update your Active Directory security baseline to include removing Everyone from the Pre-Windows 2000 Compatible Access group.
7. Risks, Side Effects, and Roll Back
Removing these identities should not impact normal Active Directory operation. However, older applications relying on anonymous access may break.
- Risk or side effect 1: Older applications that rely on anonymous LDAP queries may stop working.
- Roll back: Step 1: Open Active Directory Users and Computers. Step 2: Navigate to the ‘Pre-Windows 2000 Compatible Access’ group. Step 3: Add the “ANONYMOUS” identity back to the members list. Step 4: Add the “EVERYONE” identity back to the members list.
8. References and Resources
- Vendor advisory or bulletin: https://www.tenable.com/blog/new-in-nessus-find-and-fix-these-10-active-directory-misconfigurations
- NVD or CVE entry: Not applicable for this specific misconfiguration.
- Product or platform documentation relevant to the fix: https://msdn.microsoft.com/en-us/library/cc223672.aspx