Anonymous Access to AD forest data above the rootDSE level must be disabled.
For Windows Server 2003 or above, the dsHeuristics option can be configured to override the default restriction on anonymous access to AD data above the rootDSE level. Anonymous access to AD data could provide valuable account or configuration information to an intruder trying to determine the most effective attack strategies.
Disable anonymous access to AD forest data above the rootDSE level.
1. At the command line prompt enter (on a single line): dsquery * "cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -scope base -attr * (Where dc=[forest-name] is the fully qualified LDAP name of the root of the domain being reviewed.) Example: The following is an example of the dsquery command for the vcfn.ost.com forest. dsquery * "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, dc=vcfn,dc=ost,dc=com -scope base -attr * 2. If the dsHeuristics attribute is listed, note the assigned value. 3. If the dsHeuristics attribute is defined and has a “2” as the 7th character, then this is a finding. Examples of values that would be a finding as follows: “0000002”, “0010002”, “0000002000001”. (The 7th character controls anonymous access.) Supplementary Notes: Domain controllers have this option disabled by default. However, this check verifies that the option has not been enabled. The dsHeuristics option can be configured with the Windows Support Tools Active Directory Service Interfaces Editor (ADSI Edit) console (adsiedit.msc).
ECAN-1, ECCD-1, ECCD-2