If you wish to check for insecure LDAP binds this is very simple to do with Server 2016 and newer all you need to do is navigate to the registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Then from this path you will need to set the value called "16 LDAP Interface Events" to the value of "2" like this:
Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2 # Disable Simple LDAP Bind Logging. Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 0
- Connect to LDAP on 389
- Connect to LDAP without STARTTLS
- Connect to GC port of 3268
- Connect to GC port without STARTTLS
This is known as LDAP-S and is considered as:
LDAPS over port 636 (DC) or port 3269 (GC)
where the connection is considered to be immediately secured by the
certificate. SSL/TLS is negotiated before any LDAP traffic is exchanged.
LDAP using StartTLS over port 389 (DC) or 3268 (GC)
where the StartTLS operation is used to establish secure
communications. It requires the LDAP client to support this StartTLS
operation.
Then you need this script to produce the report from the source:
https://github.com/russelltomkins/Active-Directory/blob/master/Query-InsecureLDAPBinds.ps1
Then to get the report you need to run this:
.\Query-InsecureLDAPBinds.ps1 -ComputerName fuzzybear.local
If you only want more than 24 hours of logging you need to add the -Hours flag, like this:
.\Query-InsecureLDAPBinds.ps1 -ComputerName fuzzybear.local -Hours 960