Hi,
It seems that Active Directory gives a different error message if a user attempts to login using LDAP using an invalid user name verses trying to login with an invalid password. This is a security issue as it allows a hacker to find valid login user names by simply trying lots of logins with different names and inspecting the error message.
Is there any option or way to turn off these error messages so that information about accounts existing is not leaked?
To be secure it should give the exact same error if you try to login using a non-existant user account verses a correct user account name but wrong password.
Here is an example of this security issue using the open source ldapsearch.exe tool:
First lets try to login using a user account name that does not exist:
ldapsearch -v -R -b "DC=serena,DC=com" -D "CN=badusername,OU=Development,OU=Serena Service Accounts,DC=serena,DC=com" -w somepassword -h myadserver -p 389 "(objectClass=person)"
ldap_open( myadserver, 389 )
ldap_bind: Invalid credentials
ldap_bind: additional info: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772
Note that error code 525 was returned.
Now lets try logging in as a valid user account (one that exists) but with wrong password:
ldapsearch -v -R -b "DC=serena,DC=com" -D "CN=goodusername,OU=Development,OU=Serena Service Accounts,DC=serena,DC=com" -w somepassword -h myadserver -p 389 "(objectClass=person)"
ldap_open( myadserver, 389 )
ldap_bind: Invalid credentials
ldap_bind: additional info: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1772
Note that I got error code 52e when the user name was correct but password was wrong.
So all a hacker has to do is attempt many different logins using different user names and test the error code.
If he gets a 52e then he knows he has found a good account that actually exists and he can now go and try to guess the password.
Anyone know any way to stop AD leaking this information?