How to enable LDAP signing in Windows Server 2008

RAPID PUBLISHING

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION IN RESPONSE TO EMERGING OR UNIQUE TOPICS, AND MAY BE UPDATED AS NEW INFORMATION BECOMES AVAILABLE.

The security of a directory server can be significantly improved by configuring the server to reject Simple Authentication and Security Layer (SASL)LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. SASLs may include protocols such as Negotiate, Kerberos, NTLM, or Digest.

Unsigned network traffic is susceptible to replay attacks in which an intruder intercepts the authentication attempt and the issuance of a ticket. The intruder can reuse the ticket to impersonate the legitimate user. Additionally, unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures packets between the client and the server, changes the packets, and then forwards them to the server. If this occurs on an LDAP server, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client.

This article describes how to configure your directory server to protect it from such attacks.

Discovering clients that do not use theRequire signing option

Clients that rely on unsigned SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds or LDAP simple binds over a non-SSL/TLS connection stop working after you make this configuration change. To help identify these clients, the directory server logs a summary event 2887 one time every 24 hours to indicate how many such binds occurred. We recommend that you configure these clients not to use such binds. After no such events are observed for an extended period, we recommend that you configure the server to reject such binds.

If more detailed information is required to identify such clients, the directory server can be configured to provide more detailed logs. This additional logging will log an event 2889 when a client attempts an unsigned LDAP bind. The logging displays the IP address of the client and the identity that the client tried to use to authenticate. This additional logging can be enabled by setting the LDAP Interface Events diagnostic setting to 2 (Basic). For more information about how to change the diagnostic settings, visit the following Microsoft Web site:
http://go.microsoft.com/?linkid=9645087 (http://go.microsoft.com/?linkid=9645087)

If the directory server is configured to reject unsigned SASL LDAP binds or LDAP simple binds over a non-SSL/TLS connection, the directory server will log a summary event 2888 one time every 24hours, when such bind attempts occur.

Configuring the Directory to require LDAP Server Signing

Using Group Policy

1. Click Start, click Run, type mmc.exe , and then click OK.
2. On the File menu, click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, click Group Policy Management Editor, click Add.
4. In the Select Group Policy Object dialog box, click Browse.
5. In the Browse for a Group Policy Object dialog box, click Default Domain Policy under the Domains, OUs and linked Group Policy Objects area, and then click OK.
6. Click Finish.
7. Click OK.
8. Expand Default Domain Controller Policy, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then expand Security Options.
9. Right-click Domain controller: LDAP server signing requirements, and then click Properties.
10. In the Domain controller: LDAP server signing requirements Properties dialog box, enable Define this policy setting, click to select Require signing in the Define this policy setting drop-down list, and then click OK.
11. Click Yes in the Confirm Setting Change dialog box.

Using Group Policy (setting of the client LDAP signing requirement)

1. Click Start, click Run, type mmc.exe , and then click OK.
2. On the File menu, click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor, and then click Add.
4. Click Finish.
5. Click OK.
6. Expand Local Computer Policy, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then expand Security Options.
7. Right-click Network security: LDAP client signing requirements, and then click Properties.
8. In the Domain controller: LDAP server signing requirements Properties dialog box, enable Define this policy setting, click to select Require signing in the Define this policy setting drop-down list, and then click OK.
9. Click Yes in the Confirm Setting Change dialog box.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: Using Registry Keys

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
3. Right-click the LDAPServerIntegrity registry entry, and then click Modify.
4. Change Value data to 2, and then click OK.

For Active Directory Lightweight Directory Services (AD LDS), the registry key is not available by default. Therefore, you must create a LDAPServerIntegrity registry entry of the REG_DWORD type under the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\instanceName\Parameters

Note InstanceName is the name of your AD LDS instance which you want to change.
Verify Configuration Changes

1. Click Start, click Run, type ldp.exe, and then click OK.
2. Under the Connection menu, click Connect.
3. Type in the server name and non-SSL/TLS port of your directory server in the Server field and the Port field, and then select OK.
   Note For an Active Directory Domain Controller, the applicable port is 389.
4. After establishing a connection, select Bind under the Connection menu.
5. Under Bind type, select Simple bind.
6. Type in the username and password, and then click OK.

You have successfully configured your directory server if you receive the following error message:

DISCLAIMER

MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE FOR ANY PURPOSE. THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED HEREIN AT ANY TIME.

For more information on the terms of use, click on the link below:
http://support.microsoft.com/tou/ (http://support.microsoft.com/tou/)