Network security: LDAP client signing requirements

A brief look at configuring LDAP client signing requirement policy

This policy setting determines the level of data signing that is requested on behalf of client devices that issue LDAP BIND requests. The levels of data signing are described in the following list:

• None. The LDAP BIND request is issued with the caller-specified options.
• Negotiate signing. The LDAP BIND request is initiated with the LDAP data signing option set in addition to the caller-specified options. This occurs only if Transport Layer Security/Secure Sockets Layer (TLS/SSL) has not been started. If TLS/SSL has been started, the caller-specified options are used to initiate LDAP BIND request.
• Require signing. This level is similar to Negotiate signing. However, if its not indicated that LDAP traffic signing is required by the LDAP server's intermediate saslBindInProgress response, a message is sent to the caller that the LDAP BIND command request failed.

Set both the Network security: LDAP client signing requirements and Domain controller: LDAP server signing requirements settings to Require signing. Set both client and server sides to require signing so as to avoid usage of unsigned traffic. Client computers are prevented from communicating with the server if you fail to set one side. This leads to many features failing, including user authentication, Group Policy, and logon scripts.

Security aspects:

Man-in-the-middle attacks can be launched on unsigned network traffic in which an intruder captures the packets transmitted between client and server, tampers with them, and then forwards them to the server. This vulnerability allows an attacker to cause an LDAP server to make decisions that are based on modified from the LDAP queries. To reduce this risk in your network, it is important to have strong physical fortifications to protect network infrastructure. Implementing digital signatures on all network packets by means of IPsec authentication headers can also reduce man-in-the-middle attacks.

If you configure the client to require LDAP signatures, it may fail to communicate with the LDAP servers that do not require requests to be signed. To avoid this issue, make sure that both the Network security: LDAP client signing requirements and Domain controller: LDAP server signing requirements settings are set to Require signing.

About ADAudit Plus:

ADAudit Plus is a real time change auditing software that helps keep your Active Directory, Azure AD, Windows file servers, NetApp filers, EMC file systems, Synology file systems, Windows member servers, and workstations secure and compliant. With ADAudit Plus, you can get visibility into:

• Authorized and unauthorized AD management changes
• User logons, logoffs, and account lockouts
• GPO changes
• Group attribute and membership changes
• OU changes
• Privileged access and permission changes
• Azure AD logons, and changes to roles, groups, and applications
• PowerShell scripts and modules

among other things.

There are more than 200 event-specific reports, and you can configure instant email alerts. You can also export the reports to XLS, HTML, PDF and CSV formats to assist in interpretation and forensics. For more information on ADAudit Plus, visit: https://www.manageengine.com/active-directory-audit/.