AnsweredAssumed Answered

QIDs 70003 and 45003

Question asked by Ron Brown on Jul 10, 2013

We have found some information that might be valuable to all Qualys users in regards to QIDs 70003 and 45003.  Both of these QID's have been picked up on all of our Domain Controller servers for quite some time.  In various blogs that I have read and research I have done, I have seen anything from saying that these vulnerabilities do not effect domain controllers (the Qualys solution for 45003 even states that some of the settings Microsoft recommends may not have any effect on DC's), which they got from Microsoft's solution as well, to making several changes in the registry are needed to fix this problem.  None of these made sense for a DC, and/or caused us concern that it would break applications.  


There is a notation in the Qualys Solution for a Microsoft article link to "Description of Dcpromo Permissions Choices" for more information regarding Pre-Windows 2000 Compatible Access, which goes into some detail about setting anonymous access for Pre Windows 2000 machines on domain controllers.  This article gives some idea of where to look, but it does not give the fix to this that we found to work, which I will note below.


In our domain controllers, we found in looking at the Pre-Windows 2000 Compatible Access group, that there was a user named Anonymous in this group.  This user hearkens back to Pre Windows 2000 machines integration into domain controllers with server 2000 and later.  Essentially, this needed to be allowed for applications and machines prior to Windows 2000 to be able to find the Domain Controller and communicate with it.  The fix for these vulnerabilities on Domain Controllers is to remove the Anonymous user from the Pre-Windows 2000 Compatible Access group.  After rescanning our servers after making this change, both vulnerabilities went away.  It would be a good idea to also remove the Everyone group as described in the Microsoft article as well, but not necessary to remove the vulnerabilities, if anyone is afraid of breaking Pre-Windows 2000 applications.