The Lightweight Directory Access Protocol (LDAP) is used by directory clients to access data held by directory servers. Clients and applications authenticate with Windows Active Directory (AD) using LDAP bind operations.
There are different kinds of LDAP bind operations, including:
- Simple LDAP bind, in which credentials are transferred over the network in cleartext and is unsecure.
- Unsigned Simple Authentication and Security Layer (SASL) LDAP bind, which does not require signing and is unsecure.
- Signed SASL LDAP bind, which requires signing and is secure.
LDAP over Secure Sockets Layer/Transport Layer Security, also known as LDAPS bind, which is encrypted and is secure.
Domain controllers (DCs) are vulnerable because they let LDAP clients communicate with them via simple LDAP binds and SASL LDAP binds that require no signing. While simple LDAP binds allow credentials of privileged accounts, such as domain administrators, to traverse the network in cleartext, unsigned SASL LDAP binds allow any person with malicious intent to capture packets between the client and the DC, change the packets, and then forward them. Both of these scenarios can have catastrophic consequences. There is a high chance that DCs in your environment are allowing unsecure LDAP binds at this very moment.
How to detect unsecure LDAP binds
The first step towards mitigating this vulnerability is to identify whether you are affected, which you can do by looking through event ID 2887.
Event 2887 is logged by default in the DC once every 24 hours, and it shows the number of unsigned and cleartext binds to the DC. Any number greater than zero indicates your DC is allowing unsecure LDAP binds.
Next, you need to detect all devices and applications using unsecure binds by looking through event ID 2889.
Event 2889 is logged in the DC each time a client computer attempts an unsigned LDAP bind. It displays the IP address and account name of the computer that attempted to authenticate over an unsigned LDAP bind.
Note: This event does not get logged by default, and requires appropriate diagnostics to be enabled.
How ADAudit Plus helps expedite detection
Using PowerShell scripts to parse and extract relevant data from the logged 2887 and 2889 events demands expertise and time. ADAudit Plus collects these events from all DCs in your domain, and provides reports that pinpoint the devices and applications that use unsecure LDAP binds. Details in the reports include IP addresses, ports, usernames, and the binding type. What’s more, you can also configure ADAudit Plus to alert you via email and SMS as and when there is an attempt to authenticate using an unsecure bind.
Identifying whether your DCs are allowing unsecure binds, and detecting devices and applications that are vulnerable due to this, is just a few clicks away.
Note: Once you’ve detected all devices and applications using unsecure LDAP binds with ADAudit Plus, ensure that you work towards remediating these binds by enforcing LDAP signing and LDAP channel binding (makes LDAPS more secure).
About ManageEngine ADAudit Plus
ADAudit Plus is a real-time Active Directory, file server, Windows server, and workstation security and compliance solution.
** Optrics Inc. is a ManageEngine partner
The original article can be found here: