AD Starter Scan - Null sessions

medium Nessus Plugin ID 150488
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The Anonymous or Everyone foreign security principal is part of the 'Pre-Windows 2000 Compatible Access' group.

Description

When Microsoft released the first version of Active Directory, an option was added to enable compatibility with older systems. This was done by adding a Pre-Windows 2000 Compatible Access group, with read permissions on the majority of the domain objects and configuration data. When compatibility with legacy systems is allowed, this group is populated with the Everyone identity, which contains the Anonymous user. This allows unauthenticated users to read all the configuration data in the domain. An attacker can use this feature to discover targets or carry out brute-force attacks.

Note: This plugin is part of the Active Directory Starter Scan Template and is meant to be used for preliminary analysis of AD hosts. For more information on the issues discovered by the Active Directory Starter Scan plugins, please refer to this blog post - https://www.tenable.com/blog/new-in-nessus-find-and-fix-these-10-active-directory-misconfigurations

Solution

The following members of the Pre-Windows 2000 compatible access group should be removed:
- ANONYMOUS, with SID S-1-5-7
- EVERYONE, with SID S-1-1-0

See Also

http://www.nessus.org/u?ac42f589

https://msdn.microsoft.com/en-us/library/cc223672.aspx

http://www.nessus.org/u?95884119

http://www.nessus.org/u?d5c4c81f

Plugin Details

Severity: Medium

ID: 150488

File Name: adsi_null_session.nbin

Version: 1.9

Type: local

Agent: windows

Family: Windows

Published: 7/29/2021

Updated: 9/16/2021

Dependencies: adsi_enum.nbin

Risk Information

CVSS Score Source: manual

CVSS Score Rationale: Score based on an in-depth analysis by tenable.

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability Information

CPE: cpe:/a:microsoft:active_directory

Required KB Items: Secret/adsi/username/0, Secret/adsi/password/0, adsi/host/0, adsi/domain/0, adsi_enum_group_memberships/available