On Part 2 of this post, I will show how to request a certificate for a domain controller to use LDAPS, we will see also why we should never use simple bind on clear text.
This post is intended to give you an action plan on how you can Enforce Require LDAP Signing on your production, please start by reading Part 1. https://secureinfra.blog/2019/08/03/step-by-step-enforce-require-ldap-signing-on-domain-controllers-part-1/
Simple LDAP Bind in action
Before configuring LDAPS on DCs, let’s see why simple bind should always pass over SSL/TLS.
On MEM02 LDAP Admin tool is configured to use simple bind on clear text, using network monitor we will inspect traffic between MEM02 and DC01 when the connection happen.
As you can see on the screenshot below, simple bind using clear text is configured on LDAP Admin tool. I’m using the user Eric 😉.
Let’s see the traffic on Network Monitor.
As you can see on the screenshot, by sniffing the network traffic I can see the username and password in clear text.
Never use Simple bind on clear text.
To configure LDAPS on the domain lab.dz, we need to install a certificate on domain controllers. Below an easy example on how to request and install the certificate on DC01.
Create an inf file on DC01 with the content below
; —————– DC01Request.inf —————–
Subject = “CN=dc01.lab.dz” ; replace with the FQDN of your DC
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
OID=126.96.36.199.188.8.131.52.1 ; this is for Server Authentication
CertificateTemplate = KerberosAuthentication
Create a certificate request.
certreq –new DC01Request.inf DC01Request.req
DC01Request.req is generated.
Submit your request to your enterprise CA or third-party CA.
in my scenario I’m using Active Directory Certificate Services CA installed on MEM01.
Certreq -submit -config “mem01.lab.dz\lab-mem01-ca” DC01Request.reg DC01Request.cer
Install the certificate.
Certreq -accept DC01Request.cer
Certificate is deployed and LDAPS is available.
Let’s try a simple bind over SSL.
After fixing the applications on MEM01 and MEM02 we can safely enforce Require LDAP Signing on domain controllers 😊.
Enforce Require LDAP Signing
Right click on default domain controller policy and configure the setting. Domain Controller: LDAP server signing requirements.
After enforcing the setting, LDAP Admin tool is unable to access the directory server using insecure LDAP Bind.
The screenshot below shows the error message when I try a Simple Bind on clear text.
Enforcing Require LDAP signing will protect your password from transiting in clear text.
You have to start with an audit to detect all applications that are performing insecure binds before enforcing Require LDAP Signing. After finding the applications you have to configure the applications with one of the following.
- SASL bind that request signing.
- Simple bind over SSL/TLS.
You are ready to go 😉
Thanks for reading and Good Luck.