Windows – LDAP signing going to be mandatory in March 2020

In March 2020, Microsoft is going to release a security update for Windows which will require that all LDAP (Lightweight Directory Access Protocol) request to be signed, meaning all unsigned (and as such unsecure) LDAP request will be rejected by Windows Active Directory servers (AD DS or AD LDS).

You need to act now to ensure you will not have any service disruption; and don’t only about your Windows client – which should already do LDAPS request, but don’t forget the default setting does not requires request signing – but also any other network devices which require authentication using LDAP (like SAN Management, KVM, routers…).

To help you being prepared, you need to do the following:

• Ensure your Windows environment is prepared and configured for request sign-in using GPO

For Domain Controllers

Computer ConfigurationWindows SettingsSecurity
SettingsLocal PoliciesSecurity Options

Set the Domain controller: LDAP server signing requirements setting to Require Signing

For Windows domain joined clients

Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options

Set the Network security: LDAP client signing requirements setting to Require Signing

• For other systems (aka not Windows or domain joined device), you will need to identify which one(s) is/are doing unsigned LDAP request to then update their configuration. NOTE you may have to contact your device provider to check how to do
• To check if there is any unsecured LDAP request and from where this is coming from, check for the Event ID 2886 in your Directory Service event log in your Domain Controllers

Event in text

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          1/16/2020 1:18:03 PM
Event ID:      2886
Task Category: LDAP Interface
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:     
Description:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
 
Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made.  To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred.  You are encouraged to configure those clients to not use such binds.  Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds.
 
For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
 
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind.  To do so, please raise the setting for the “LDAP Interface Events” event logging category to level 2 or higher.

If you find some, this means this specific Domain Controller is accepting unsecured LDAP requests and you need to fix it (see above)

• Then you have to check for the Event ID 2887 (generated every 24 hours); if you got some events (especially recently – my below example is from December 2019 and has nothing earlier)

Event in text

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          12/7/2019 5:44:01 PM
Event ID:      2887
Task Category: LDAP Interface
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:    
Description:

During the previous 24 hour period, some clients attempted to perform LDAP binds that were either:
(1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or
(2) A LDAP simple bind that was performed on a clear text (non-SSL/TLS-encrypted) connection
 
This directory server is not currently configured to reject such binds.  The security of this directory server can be significantly enhanced by configuring the server to reject such binds.  For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
 
Summary information on the number of these binds received within the past 24 hours is below.
 
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind.  To do so, please raise the setting for the “LDAP Interface Events” event logging category to level 2 or higher.
 
Number of simple binds performed without SSL/TLS: 0
Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 3

• If you have any Event ID 2887, then you need to enable LDAP Interface Events using either PowerShell or registry to track down which endpoint(s) is/are generating unsecured LDAP request as documented in the Microsoft KB 314980 https://support.microsoft.com/kb/314980/
• Once done,then you have to monitor for the Event ID 2889; it could be helpful there to have a SIEM to help you tracking down – you can also take advantage of the Azure Sentinel service by deploying the Microsoft Monitoring Agent (if not yet already done, which is highly recommended to deploy on any server ) and then use the Security Event data connector to target specifically Directory Services event

More details are available in the Microsoft KB Article KB 4520412 – https://support.microsoft.com/kb/4520412