TCP Dangerous Directory

Port 3268 (AD Global Catalog)

Learn about port 3268 (AD Global Catalog) - security risks, vulnerabilities, and common uses. Find devices with port 3268 open.

Quick Info

Port Number

3268

Protocol

TCP

Service

AD Global Catalog

IANA Name

AD Global Catalog

Service Description

TCP port 3268 is primarily associated with the Active Directory Global Catalog (GC) service in Windows environments. The Global Catalog is a partial, read-only replica of all objects from all domains in an Active Directory forest. This allows applications and users to search for objects within the entire forest without needing to explicitly query each domain separately. The GC service listens on port 3268 (unencrypted LDAP) and port 3269 (LDAPS/SSL). When a client application needs to find an object (user, group, printer, etc.) without knowing which domain it resides in, it queries the GC. The GC contains a limited set of attributes for each object, sufficient for most search operations. This minimizes replication traffic compared to replicating all attributes to a central server. The protocol used is LDAP (Lightweight Directory Access Protocol), a standard application protocol for accessing and maintaining distributed directory information services over an IP network. The history of the GC dates back to the introduction of Active Directory with Windows 2000, designed to address the scalability and manageability issues of large, multi-domain environments.

## Firewall Recommendations

Ideally, port 3268 should be blocked from external networks. Internal access should be restricted to only those systems that explicitly require it. Prefer the use of LDAPS (port 3269) for all communications to encrypt the traffic and prevent eavesdropping. Implement strong access controls on the Active Directory Global Catalog to limit who can query it. Regularly audit access to the Global Catalog to detect any unauthorized activity. Consider using a dedicated firewall rule to allow only specific internal IP addresses or subnets to access port 3268, and block all other traffic. Ensure that all domain controllers and applications that use port 3268 are patched with the latest security updates to mitigate known vulnerabilities.

Security Information

Port 3268, while essential for Active Directory functionality, presents several security risks. As it provides a read-only view of the entire forest's object metadata, unauthorized access can lead to information disclosure. Attackers can enumerate users, groups, organizational units, and other critical information, which can be used to map out the Active Directory structure for further attacks. Furthermore, because the default configuration is unencrypted LDAP, traffic traversing port 3268 is susceptible to eavesdropping. An attacker positioned on the network can capture credentials or other sensitive information transmitted in cleartext. While LDAPS (port 3269) provides encryption, misconfigurations or legacy applications might still rely on the unencrypted port 3268. The availability of forest-wide information on this port makes it a prime target for reconnaissance efforts by attackers aiming to compromise an Active Directory environment. Weak access controls or unpatched vulnerabilities can be exploited to gain unauthorized access to the GC service.

Known Vulnerabilities

CVE	Name	Severity	Description
CVE-2020-1472	Zerologon	Critical	An elevation of privilege vulnerability exists in Netlogon Remote Protocol when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
CVE-2021-42287	Kerberos PAC bypass	Critical	An Active Directory Domain Services privilege escalation vulnerability exists when Kerberos Service Tickets are improperly validated. An attacker who successfully exploited this vulnerability could obtain domain administrator privileges.