How to fix insecure LDAP binds to prevent exposed Windows admin credentials

First the good news: Microsoft planned to release a patch in January to disable insecure LDAP channel binding and LDAP signing to more secure configurations. As a result of businesses asking for more time due to the holiday season, Microsoft has pushed this off to March 2020. Now the bad news: You may be already passing the credentials for the domain admin account in cleartext in your network as noted in a 2016 blog post.

How do you know? Start by looking for event ID 2886 and 2887 in your directory service log. If event ID 2886 is present, it indicates that LDAP signing is not being enforced by your domain controller. What’s so bad about this? Plenty. It means that it’s possible to perform a cleartext LDAP bind over a non-encrypted connection.

bradley ldap 1 Susan Bradley

Review domain controller logs for event 2886.

If you see event 2886, you need to take immediate action to remedy the situation. Review your Group Policy or registry settings on your domain controllers. If you’ve never configured the option “Domain controller: LDAP server signing requirements” and still have them set as none, chances are this LDAP configuration is opening you up to risky configurations.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *