my personal blog about systemcenter

Finding clients using insecure LDAP binds

Microsoft announced in August 2019 that they will enforce the use of Secure LDAP binds from Marts 2020 Update

This means that applications that uses “classic” LDAP over 389 will fail after applying updates in the Marts 2020 Cycle

Take Action: Microsoft Security Advisory 
ADV190023 published to introduce LDAP channel binding and LDAP signing support. Administrators will need to test these settings in their environment after manually adjusting them on their servers.

First Call to Action was August 2019 , so if you missed this (like me) this is very late getting started to prevent possible outages pending Marts Update Cycle

Required: Security Update available on Windows Update for all supported Windows platforms that will enable LDAP channel binding and LDAP signing on Active Directory servers by default.

Second Call to Action is now , get searching in the logs

Event 2886,2889,2887,1220 from Directory Services are the ones to ensure are logged and searhable

Domain Controllers will pr default log a 2886 Every 24 hours with how many clients connected , this will see if there is a usage but not who/what

For detailed logging On your Domain Controllers enable LDAP Interface Events Logging to Level 2

Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2

and to Disable Logging again

Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v “16 LDAP Interface Events” /t REG_DWORD /d 0
With Logging set to level 2 , you will now see clients connection with insecure bind , source ip and username that authenticated with Event ID 2889

The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection. 

If you see 1220 a client tried to use LDAP/s but the domain controller didn’t have a certificate available

LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate.