Event ID 2886 — LDAP signing

  • Article

Applies To: Windows Server 2008 R2

To enhance the security of directory servers, you can configure both Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) to require signed Lightweight Directory Access Protocol (LDAP) binds.

Unsigned network traffic is susceptible to replay attacks, in which an intruder intercepts an authentication attempt and the issue of a ticket. The intruder can reuse the ticket to impersonate the legitimate user. In addition, unsigned network traffic is susceptible to man-in-the-middle attacks, in which an intruder captures packets between the client computer and the server, modifies the packets, and then forwards them to the server. When this behavior occurs on an LDAP server, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client.

Consider enhancing the security of your domain controllers by configuring them to reject simple LDAP bind requests and other bind requests that do not include LDAP signing.

Event Details

Product: Windows Operating System
ID: 2886
Source: Microsoft-Windows-ActiveDirectory_DomainService
Version: 6.0
Symbolic Name: DIRLOG_ENCOURAGE_LDAP_SIGNING
Message: The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server. Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds. For more details and information on how to make this configuration change to the server, please see https://go.microsoft.com/fwlink/?LinkID=87923. You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.

Resolve

Consider configuring the directory to reject LDAP binds that do not require signing

To enhance the security of your network, you should consider configuring the domain controller to reject unsigned LDAP communications. For additional information and configuration details, see article 823659 in the Microsoft Knowledge Base (https://go.microsoft.com/?linkid=145022).

Discover client computers that do not use signing

Client computers that currently rely on unsigned binds or LDAP simple binds over a non-Secure Sockets Layer / Transport Layer Security (SSL/TLS) connection will stop working if this you make this configuration change. You should first identify all the client computers that are using unsigned binds. When unsigned binds occur, the domain controller will log Event ID 2887 every 24 hours, indicating how many unsigned binds have occurred. If you want to learn specifically which client computers are using unsigned binds to the domain controller, you can enable diagnostic logging for LDAP Interface Events.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about default group memberships at https://go.microsoft.com/fwlink/?LinkID=150761. Perform the following procedure on the domain controller on which you want to perform diagnostic logging.

To enable diagnostic logging for LDAP Interface Events:

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Type the following command, and then press ENTER: Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2 
  3. When you are prompted, confirm the overwrite operation by typing Y and pressing ENTER.
  4. Use Event Viewer to locate the Event ID 2889, which is logged each time that a client computer attempts an unsigned LDAP bind. This event displays the client IP address and the account name that was used when the client computer attempted to authenticate.
  5. After you have determined the client computers that are attempting to perform unsigned binds, you can disable the diagnostic logging for LDAP Interface Events by running the following command: **Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 0 **
  6. Type Y and press ENTER to confirm the settings overwrite, which disables diagnostic logging for the LDAP Interface.

For additional information about Active Directory diagnostic logging, see article 314980 in the Microsoft Knowledge Base (https://go.microsoft.com/?linkid=145021).

Configuring domain controllers for LDAP signing

You can use a registry key or Group Policy to configure domain controllers for LDAP signing.

Membership in Domain Admins, or equivalent, is the minimum required to complete these procedures. Review details about default group memberships at https://go.microsoft.com/fwlink/?LinkID=150761. Perform the following procedures on a domain controller or a computer that has Remote Server Administration Tools (RSAT) installed. For more information about RSAT, see Installing Remote Server Administration Tools for AD DS (https://go.microsoft.com/?linkid=144909).

To use Group Policy to configure all domain controllers to reject unsigned and simple LDAP bind requests:

  1. Open the Group Policy Management Console. To open the Group Policy Management Console, click Start. In Start Search, type Group Policy Management. Right-click the Group Policy Management icon on the Start menu, and then click Run as administrator.
  2. Expand the forest and domain objects until you locate the domain object for the set of domain controllers that you want to configure.
  3. Expand the Domain Controllers object, right-click Default Domain Controllers Policy, and then click Edit.
  4. Expand the following objects in the Group Policy Management Editor: Computer Configuration, Policies, Windows Settings, Security Settings, and Local Policies, and then click Security Options.
  5. In the right pane, double-click the Domain Controller: LDAP server signing requirements policy.
  6. Ensure that the Define this policy setting check box is selected, use the selection box to set Require Signing, and then click OK.
  7. Review the information in the Confirm Setting Change dialog box,and if you are sure you want to make this change, click Yes to continue.

To use a registry key to configure domain controllers to reject unsigned and simple LDAP bind requests:

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

  1. Open Registry Editor as an administrator on each domain controller that you want to change. To open Registry Editor as an administrator, click Start. In Start Search, type regedit. At the top of the Start menu, right-click Regedit, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. In the registry location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters, in the left pane, right-click ldapserverintegrity, and then click Modify.
  3. Type 2 for Value data to configure the server to reject simple or unsigned LDAP bind requests, and then click OK.

Configuring AD LDS servers for LDAP signing

To configure LDAP signing for an AD LDS instance, you must modify the registry on the AD LDS server.

Membership in local Administrators, or equivalent, is the minimum required to complete this procedure. Review details about default group memberships at https://go.microsoft.com/fwlink/?LinkID=150761. Perform this procedure on the AD LDS server.

To configure an AD LDS server for LDAP signing:

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

  1. Open Registry Editor as an administrator. To open Registry Editor as an administrator, click Start. In Start Search, type RegEdit. At the top of the Start menu, right-click Regedit, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Navigate to the following registry location: **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\**instanceName\ where instanceName is the name of your AD LDS instance on which you want to change the setting.
  3. Right-click the Parameters key, click New, and then click DWORD (32-bit) Value.
  4. Type LDAPServerIntegrity for the name of the new value.
  5. Double-click the new value, type 2 for the Value data, and then click OK.

Verify

Membership in Domain Users, or equivalent, is the minimum required to perform the following procedure. Review details about default group memberships at https://go.microsoft.com/fwlink/?LinkID=150761. Perform the following procedure on a domain controller or a computer that has Remote Server Administration Tools (RSAT) installed. For more information about RSAT, see Installing Remote Server Administration Tools for AD DS (https://go.microsoft.com/?linkid=144909).

To verify that the directory is configured to reject simple LDAP connections:

  1. Open Ldp. To open Ldp, click Start. In Start Search, type ldp. Right-click the Ldp icon on the Start menu, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Click the Ldp Connection menu, and then click Connect. In Server, type the host name of the server to which you want to connect. Ensure that Port is set to 389 and that the Connectionless and SSL check boxes are cleared, and then click OK.
  3. Click the Connection menu, and then click Bind.
  4. In the Bind dialog box, click Simple bind
  5. In User, type domainname\username, where domainname is the actual name of the domain and username is the name of the account that you are using. Enter your password in the Password box, and then click OK.

If the command output in the results pane displays an error message that reads "Ldap_simple_bind_s() failed: Strong Authentication Required" or "Error 0x2028: A more secure authentication method is required for this server," the domain controller is configured to reject simple LDAP binds. However, if the command output reads "Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'," the directory is allowing simple LDAP binds.

When client computers make or attempt to make unsigned or simple connections to the directory, Event ID 2887 from source Microsoft-Windows-ActiveDirectory_DomainService is logged to the Directory Service log on the domain controller. If you do not see that event in the Directory Service log, client computers are not attempting to make unsigned or simple LDAP connections to the domain controller.

LDAP signing

Active Directory