F.2 Nessus Scan Results

Explanation: Null Bind is enabled on eDirectory LDAP server by default but can be disabled on the server. To enhance the security of the server, disable the NULL bind on the LDAP server port 389. For more information, see Configuring LDAP Objects.

Solution: Disable Null Bind on the server.

Explanation: Information can be picked even without prior knowledge of the directory structure. With the help of Null Bind, an anonymous user can query the LDAP server using tools like “LdapMiner.”

Solution: Although there is no way to disable it, security threat like this can be minimized by disabling Null Bind.

Explanation: The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.

Solution: Reconfigure the affected application, if possible, to avoid use of weak ciphers.

Explanation: This host is a NetIQ eDirectory server, and has Browse rights on the PUBLIC object.

Solution: If applications using eDirectory do not depend on having PUBLIC rights, then assign the rights given to PUBLIC to authenticated users (ROOT) only. If this is an external system, it is recommended to block the access to port 524 from the Internet.

Explanation: The X.509 certificate of the remote host is not signed by a known public certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone can establish a connection in the middle and attack against the remote host.

Solution: This occurs when the client application does not have the certificate of the certificate authority that signed the server's certificate in its trusted certificate store. Purchase a certificate from a known certificate authority for the server and deploy it. Or, if the server's certificate has been issued either by the tree's organizational certificate authority or by an external or third-party certificate authority, then import or add the certificate authority's certificate in the applications trusted certificate store.