Insecure LDAP binds - insights

If you wish to check for insecure LDAP binds this is very simple to do with Server 2016 and newer all you need to do is navigate to the registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics

Then from this path you will need to set the value called "16 LDAP Interface Events" to the value of "2" like this:


# Enable Simple LDAP Bind Logging

Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2

# Disable Simple LDAP Bind Logging.

Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 0


Once you have done this you will event added to the security log every time an insure LDAP bind is detected and by insecure I mean:

  • Connect to LDAP on 389
  • Connect to LDAP without STARTTLS
  • Connect to GC port of 3268
  • Connect to GC port without STARTTLS

This is known as LDAP-S and is considered as:

LDAPS over port 636 (DC) or port 3269 (GC) where the connection is considered to be immediately secured by the certificate. SSL/TLS is negotiated before any LDAP traffic is exchanged.

LDAP using StartTLS over port 389 (DC) or 3268 (GC) where the StartTLS operation is used to establish secure communications. It requires the LDAP client to support this StartTLS operation.

Then you need this script to produce the report from the source:

https://github.com/russelltomkins/Active-Directory/blob/master/Query-InsecureLDAPBinds.ps1

Then to get the report you need to run this:

 .\Query-InsecureLDAPBinds.ps1 -ComputerName fuzzybear.local

If you only want more than 24 hours of logging you need to add the -Hours flag, like this:

 .\Query-InsecureLDAPBinds.ps1 -ComputerName fuzzybear.local -Hours 960



Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„