February 13, 2020 | By ItaySharoni, Service Manager & Senior Security Support Engineer
In March 2020, Microsoft is expected to release a security update on Windows Update that will enable LDAP channel binding and LDAP signing improvement changes. These events will change domain controllers default behavior and will affect many organizations.
LDAP channel binding and LDAP signing will improve the security of network communications between Active Directory Domain Services (AD DS) or an Active Directory Lightweight Directory Services (AD LDS) and its clients.
Up to this day, any Domain Controller (DC) with default settings will bind and serve any clear text or unsigned LDAP queries. These two methods are known as “Simple Authentication” (username and password) and “Simple Authentication and Security Layer” (SASLs may include protocols such as the Negotiate, Kerberos, NTLM, and Digest protocols).
The two methods mentioned above can be used over clear text. However, these default settings are susceptible to attacks or vulnerabilities. Take for instance, the typical man-in-the middle attacks can be escalated. A man-in-the-middle attack refers to a series of unfortunate events whereby attackers successfully put forward unauthenticated requests to a Window LDAP Server, since the Server, running on AD DS or AD LDS, have not be configured to detect such vulnerability by requiring sealing or signing on incoming connections.
However, after the impending update (still no KB), the default behavior changes will be able to reject any non-SSL\TLS encrypted or signed connections.
It is very important to understand that many organizations still use LDAP queries from third party applications/servers/devices over clear text. Those need to be identified and reconfigured to use SSL (636,3269) or start TLS (389,3268) or sign the request (many non-windows clients will not support this).
The following technical steps will help many organizations identify those issues. Take for instance, on every Domain Controller, every 24 hours we get Event ID: 2887 with summary of how many connections were made unsigned and non-SL under “Directory Service” event log.
The information above can give us a rough estimate of what is going on but it’s not enough.
Hence, we need to enable level 2 debug on all DCs for “LDAP Interface Events”. This can be achieved by undertaking a registry change.
We need to edit this in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics and set “16 LDAP Interface Events” to value “2” (default is “0”). This will generate Event ID: 2889 on every clear text/not signed connections with “Source IP” and user/computer account details.
Now, what we can learn from these events is that all servers/apps need to be reconfigured to use SSL/TLS or signed LDAP queries (let it run for at least a month and gather the events regularly).
For example, since I use QRADAR SIEM, I configured collecting “Directory Service” event log and I phrased the fields “Client IP Address” and “Identity the client attempted to authenticate as:” to ease the search.