๐ย Secure Bits ๐ก
๐๐ผ๐ ๐๐ผ ๐๐ฟ๐ฎ๐ฐ๐ธ ๐๐๐๐ฃ ๐๐ถ๐ด๐ป๐ถ๐ป๐ด ๐ถ๐ป ๐๐ฐ๐๐ถ๐๐ฒ ๐๐ถ๐ฟ๐ฒ๐ฐ๐๐ผ๐ฟ๐ ๐ฏ๐ฒ๐ณ๐ผ๐ฟ๐ฒ ๐ฒ๐ป๐ณ๐ผ๐ฟ๐ฐ๐ถ๐ป๐ด ๐ถ๐?
When applying ๐๐๐ฟ๐ถ๐ฐ๐ ๐ฆ๐ฒ๐ฐ๐๐ฟ๐ถ๐๐ ๐๐ฎ๐๐ฒ๐น๐ถ๐ป๐ฒ๐, enforcingย LDAP signingย is a common (and critical) step. It disables weak authentication methods likeย LDAP simple bind, which transmits credentials in plaintext and no signing allows MITM attacks.
But if your infrastructure is older, ๐ฒ๐ป๐ณ๐ผ๐ฟ๐ฐ๐ถ๐ป๐ด ๐ถ๐ ๐ผ๐๐๐ฟ๐ถ๐ด๐ต๐ ๐ฐ๐ฎ๐ป ๐ฏ๐ฟ๐ฒ๐ฎ๐ธ ๐๐ต๐ถ๐ป๐ด๐.
๐ฅ So before enforcement โย ๐๐ฟ๐ฎ๐ฐ๐ธ ๐๐ต๐ฎ๐โ๐ ๐๐๐ถ๐ป๐ด ๐๐ป๐๐ถ๐ด๐ป๐ฒ๐ฑ ๐๐๐๐ฃ.
๐๐ฒ๐ฟ๐ฒโ๐ ๐ต๐ผ๐:
๐ย ๐ฆ๐๐ฒ๐ฝ ๐ญ โ ๐๐ต๐ฒ๐ฐ๐ธ ๐ฑ๐ฒ๐ณ๐ฎ๐๐น๐ ๐น๐ผ๐ด๐
Event IDย 2887ย in theย Directory Serviceย log reports unsigned LDAP attempts every 24 hours. But itโs vague.
๐ย ๐ฆ๐๐ฒ๐ฝ ๐ฎ โ ๐๐ป๐ฎ๐ฏ๐น๐ฒ ๐ฑ๐ฒ๐๐ฎ๐ถ๐น๐ฒ๐ฑ ๐ฑ๐ถ๐ฎ๐ด๐ป๐ผ๐๐๐ถ๐ฐ๐
Registry path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics
Setย 16 LDAP Interface Eventsย toย 2
This gives youย ๐๐๐ฒ๐ป๐ ๐๐ ๐ฎ๐ด๐ด๐ต, which showsย exact clientsย using unsigned LDAP.
โ Use this toย find and fix legacy appsย before enforcing LDAP Signing and disabling Simple Bind.
๐กย ๐๐๐ผ๐ถ๐ฑ ๐๐ต๐ฒ โ๐ฒ๐ป๐ณ๐ผ๐ฟ๐ฐ๐ฒ โ ๐ฏ๐ฟ๐ฒ๐ฎ๐ธ ๐ฒ๐๐ฒ๐ฟ๐๐๐ต๐ถ๐ป๐ดโ scenario โ audit first.
๐ In this series, Iโll be coveringย ๐ฟ๐ฒ๐ฎ๐น-๐๐ผ๐ฟ๐น๐ฑ ๐ฐ๐ต๐ฎ๐น๐น๐ฒ๐ป๐ด๐ฒ๐ ๐ผ๐ณ ๐ฎ๐ฝ๐ฝ๐น๐๐ถ๐ป๐ด ๐๐ฒ๐ฐ๐๐ฟ๐ถ๐๐ ๐ฏ๐ฎ๐๐ฒ๐น๐ถ๐ป๐ฒ๐ย โ including the exceptions you sometimesย mustย make to keep legacy infrastructure operational. Based on lessons from production environments.
