Windows Server: Find LDAP bindings on DCs

[German]Another brief blog post about LDAP channel binding and LDAP signature request for Windows. How can you find LDAP bindings on a Windows Server Domain Controller?

What is LDAP Channel Binding about

I had already mentioned this at Christmas 2019 here in the blog in the article Microsoft enforces secure connections to the Domain Controller from January 2020. Already in August 2019 Microsoft published ADV190023 (Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing).

LDAP channel binding and LDAP signing provide ways to increase the security of communication between LDAP clients and Active Directory domain controllers. On Active Directory domain controllers, there are a number of unsafe default configurations for LDAP channel binding and LDAP signing that allow LDAP clients to communicate with them without forcing LDAP channel binding and LDAP signing. This allows Active Directory domain controllers to be opened to increase permission vulnerabilities.

Therefore, Microsoft wanted to address this issue by providing a new set of secure default configurations for LDAP channel binding and LDAP signature on Active Directory domain controllers, replacing the original insecure configuration. The plan was to do this in January 2020, then March 2020, and currently it is nebulous '2nd half of 2020' (see LDAP Channel Binding: Change is coming 2nd half of 2020) – although I'm not sure how the coronavirus crisis will affect this. 

How to find insecure LDAP bindings?

However, administrators can look into this in advance and identify insecure LDAP bindings in their network. I have already published the blog post Detect insecure LDAP bindings before March 2020 some time ago. Now I've found a references to another articles that show how to proceed. 

In the above tweet, Thorsten E. points to another place where someone is looking into how to detect insecure LDAP connections. The article from Alexander Köhler can be found here

Similar article:
Microsoft enforces secure connections to the Domain Controller from January 2020
LDAP Channel Binding: Change is coming 2nd half of 2020
Detect insecure LDAP bindings before March 2020 
Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing

This entry was posted in Security, Windows and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *