LDAP signing
Applies To: Windows Server 2008 R2
To enhance the security of directory servers, you can configure both Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) to require signed Lightweight Directory Access Protocol (LDAP) binds.
Unsigned network traffic is susceptible to replay attacks, in which an intruder intercepts an authentication attempt and the issue of a ticket. The intruder can reuse the ticket to impersonate the legitimate user. In addition, unsigned network traffic is susceptible to man-in-the-middle attacks, in which an intruder captures packets between the client computer and the server, modifies the packets, and then forwards them to the server. When this behavior occurs on an LDAP server, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client.
Consider enhancing the security of your domain controllers by configuring them to reject simple LDAP bind requests and other bind requests that do not include LDAP signing.
Events
| Event ID | Source | Message |
|---|---|---|
Microsoft-Windows-ActiveDirectory_DomainService |
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server. Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds. For more details and information on how to make this configuration change to the server, please see https://go.microsoft.com/fwlink/?LinkID=87923. You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher. | |
Microsoft-Windows-ActiveDirectory_DomainService |
During the previous 24 hour period, some clients attempted to perform LDAP binds that were either: (1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or (2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection This directory server is not currently configured to reject such binds. The security of this directory server can be significantly enhanced by configuring the server to reject such binds. For more details and information on how to make this configuration change to the server, please see https://go.microsoft.com/fwlink/?LinkID=87923. Summary information on the number of these binds received within the past 24 hours is below. You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher. Number of simple binds performed without SSL/TLS: "Value" Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: "Value" | |
Microsoft-Windows-ActiveDirectory_DomainService |
During the previous 24 hour period, some clients attempted to perform LDAP binds that were either: (1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or (2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection This directory server is configured to reject such binds. This is the recommended configuration setting, and significantly enhances the security of this server. For more details, please see https://go.microsoft.com/fwlink/?LinkID=87923. Summary information on the number of such binds received within the past 24 hours is below. You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher. Number of simple binds rejected because they were performed without SSL/TLS: "Value" Number of Negotiate/Kerberos/NTLM/Digest binds rejected because they were performed without signing:"Value" | |
Microsoft-Windows-ActiveDirectory_DomainService |
The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection. Client IP address: "Value" Identity the client attempted to authenticate as: "Value" |