I noticed that a couple of Domain Controllers started reporting Warning-messages. It turns out that one or more clients have been using Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) or LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection.
SASLs may include protocols such as the Negotiate, Kerberos, NTLM, and Digest protocols.
SASLs may include protocols such as the Negotiate, Kerberos, NTLM, and Digest protocols.
Unsigned network traffic is susceptible to replay attacks in which an intruder intercepts the authentication attempt and the issuance of a ticket. The intruder can reuse the ticket to impersonate the legitimate user.
Additionally, unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures packets between the client and the server, changes the packets, and then forwards them to the server. If this occurs on an LDAP server, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client.
The error message from the event log:
During the previous 24 hour period, some clients attempted to perform LDAP binds that were either: (1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or (2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection This directory server is not currently configured to reject such binds. The security of this directory server can be significantly enhanced by configuring the server to reject such binds. For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923. Summary information on the number of these binds received within the past 24 hours is below. You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher. Number of simple binds performed without SSL/TLS: X Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: X
You can read the KB above or just follow these simple steps to enable LDAP signing on both server and client side.
How to configure the directory to require LDAP server signing:
- Click Start, click Run, type mmc.exe, and then click OK.
- On the File menu, click Add/Remove Snap-in.
- In the Add or Remove Snap-ins dialog box, click Group Policy Management Editor, and then click Add.
- In the Select Group Policy Object dialog box, click Browse.
- In the Browse for a Group Policy Object dialog box, click Default Domain Policy under the Domains, OUs and linked Group Policy Objects area, and then click OK.
- Click Finish.
- Click OK.
- Expand Default Domain Controller Policy, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
- Right-click Domain controller: LDAP server signing requirements, and then click Properties.
- In the Domain controller: LDAP server signing requirements Properties dialog box, enable Define this policy setting, click to select Require signing in the Define this policy setting drop-down list, and then click OK.
- In the Confirm Setting Change dialog box, click Yes.
How to configure client LDAP signing requirement:
- Click Start, click Run, type mmc.exe, and then click OK.
- On the File menu, click Add/Remove Snap-in.
- In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor, and then click Add.
- Click Browse, and then select Default Domain Policy (or the Group Policy Object for which you want to enable client LDAP signing).
- Click OK.
- Click Finish.
- Click Close.
- Click OK.
- Expand Default Domain Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
- In the Network security: LDAP client signing requirements Properties dialog box, click to select Require signing in the drop-down list, and then click OK.
- In the Confirm Setting Change dialog box, click Yes.