Jump to content
OpenSecurity.global

Leaderboard


Popular Content

Showing content with the highest reputation on 01/28/2020 in all areas

  1. 2 points
    In March this year, Microsoft plan to change LDAP (an authentication system) behaviour so you are required to make connections which is signed and basically secure. If you have systems which authenticate with Active Directory in an insecure way, they will break post update. More info here: https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 This is a big change which may have production impacts, i.e. systems may break. How to identify systems which will break Go to your domain controllers and look for Event ID 2887: Product: Windows Operating System ID: 2887 Source: Microsoft-Windows-ActiveDirectory_DomainService Message: During the previous 24 hour period, some clients attempted to perform LDAP binds that were either: (1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or (2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection If you see this error, you need to take action as something will break. You can manually enable LDAP interface event logging, and afterwards Event ID 2889 will be logged in same location with the IP addresses of clients using insecure LDAP. On each DC: # Enable Simple LDAP Bind Logging Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2 This will get you the IP address of systems using insecure LDAP.. the next issue is to get them to... not do that. Over to you!
×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy