Forum Discussion

Kerry_DeVilbiss's avatar
5 years ago

LDAP Binding Security - Active Directory Domain Controllers

In December of 2019, Microsoft published a release announcing upcoming changes to LDAP channel binding and LDAP signing requirements for domain controllers

Quote

There is a vulnerability in the default configuration for Lightweight Directory Access Protocol (LDAP) channel binding and LDAP signing that may expose Active directory domain controllers to elevation of privilege vulnerabilities. Microsoft Security Advisory ADV190023 address the issue by recommending the administrators enable LDAP channel binding and LDAP signing on Active Directory Domain Controllers. This hardening must be done manually until the release of the security update that will enable these settings by default. 

Microsoft intends to release a security update on Windows Update to enable LDAP channel binding and LDAP signing hardening changes and anticipate this update will be available in March 2020.


This is a good thing (!) , as one Microsoft blogger puts it:

Quote

If I told you that there was a 90% plus chance that your Domain Controllers allowed receiving credentials in clear text over your network, you would probably wouldn't believe me. If I went a step further and told you that nearly half of the customers I visit for AD security assessments not only allowed them, but had extremely privileged accounts such as Domain Admins credentials traversing the network in clear text, you would probably think "that wouldn't happen on my network", well that's what they all told me too :)


However ... security requires preparation, and this particular change means Windows administrators will want to configure servers before the patch is applied. If you're managing dozens or hundreds of servers, identifying which resources need attention could be a time consuming proposition. Luckily (per the post above) we have a couple methods to look for vulnerable domain controllers.

So, with that in mind, the LogicMonitor DataSource Win_LDAP_Binding_Security uses PowerShell (specifically, Get-WinEvent) to comb through the (first 10,000 events of) Directory Services log for the presence of events with Event IDs 2886 and 2887 (and generates an alert if it finds anything.) Which again, means:

Quote

If any of your Domain Controllers have the 2886 event present, it indicates that LDAP signing is not being enforced by your DC and it is possible to perform a simple (clear text) LDAP bind over a non-encrypted connection. 

Our next port of call is the 2887 event. This event occurs every 24 hours and will report how many unsigned and clear text binds have occurred to this DC. If you have any numbers greater than zero, you have some homework to do.


Hopefully this saves somebody some time - and helps bring visibility to a potentially important security vulnerability in the network!

a9e8274be594e9f8620b202766efe9c4.png

Win_LDAP_Binding_Security should be available shortly via locator code FJDAJZ

  • On 2/11/2020 at 11:52 AM, Katerina said:

    Is this still available? I can't import it as it a private logicmodule? Would anyone he's managed to import it previously be able to share?

     

    same question here

     

    thanks

  • Is this still available? I can't import it as it a private logicmodule? Would anyone he's managed to import it previously be able to share?

  • Any recommendation if our DC's are reporting a Logicmonitor Collector/service account is performing SimpleBinds?

  • The datasource is available now. 

    Appreciate this Kerry! It's already making a big splash for my team. 

  • Any status on getting this out of security review?