According to Microsoft Security Advisory ADV190023, a future Windows Update in 2020 will make changes to LDAP Signing (LDAPS) and will require connections to use LDAPS instead of the less-secure clear-text LDAP. As a system administrator of Domain Controllers, you’ll want to take some steps now to identify all insecure LDAP bindings made to your domain controllers and create an action plan so that those apps will use LDAPS.
Finding Insecure LDAP Bindings
You can add a registry key on your Domain Controllers that will add Event IDs 2886 and 2887 to your Event Logs. Event 2886 indicates that LDAP signing is not being enforced by your Domain Controller and it is possible to perform a simple (clear text) LDAP bind over a non-encrypted connection. Event 2887 occurs every 24 hours and will report how many unsigned and clear text binds have occurred to the Domain Controller. If you have any number greater than 0 then you have binds that have occurred in the past 24 hours.
For diagnostic purposes, you can add the following registry keys on each of your domain controllers. Due to the volume of event logs this can create, it is recommended to only leave it enabled for a short period of time while you’re researching.
# Enable Simple LDAP Bind Logging Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2
# Disable Simple LDAP Bind Logging Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 0 Note: You may need replace the double quotes after copy+paste.
Once you have 2886 and 2887 events in your event log, you’ll want to examine them.
You can download and import LDAP Signing Events Custom View.xml from GitHub. You can also download and run a PowerShell script Query-InsecureLDAPBinds.ps1 from GitHub.
Fixing Insecure LDAP Bindings
Fixing insecure LDAP bindings can take a little more work because it is application-dependent. Some will require that you use a specific certificate. In others, you can change ldap:// to ldaps:// and use port 636.
Require LDAP Signing in Active Directory Using Group Policy
If you want to require LDAP Signing now, you can make some Group Policy changes. The current default configurations allow Domain Controllers to negotiate with LDAPS, but don’t require it.
- Open Group Policy Editor
- Select the Default Domain Policy
- Navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
- Find and select Domain Controller: LDAP server signing requirements
- Change the setting to Require signing and then click OK
- In the Confirm Setting Change dialog box, click Yes to confirm that you want to modify LDAP signing configuration
- If you set LDAP signing in the domain to ‘Require signing’, you should also set the Network security: LDAP client signing requirements policy setting to Require signing so that Windows clients are forced to use LDAP signing
