Updated: November 25, 2009
Applies To: Windows Server 2008
Lightweight Directory Access Protocol (LDAP) is the standard protocol that directory clients use to gain access to data that is held by directory servers. LDAP supports a relatively simple set of operations, such as bind, unbind, read, and modify. LDAP is the primary interface to Active Directory Domain Services (AD DS), and it is responsible for packaging and interpreting LDAP packets over the network.
The following is a list of all aspects that are part of this managed entity:
Lightweight Directory Access Protocol (LDAP) communications between client computers and server computers can be encrypted with LDAP over Secure Sockets Layer (SSL) connections. You can configure Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) to support LDAP over SSL.
To enhance the security of directory servers, you can configure both Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) to require signed Lightweight Directory Access Protocol (LDAP) binds.
Unsigned network traffic is susceptible to replay attacks, in which an intruder intercepts an authentication attempt and the issue of a ticket. The intruder can reuse the ticket to impersonate the legitimate user. In addition, unsigned network traffic is susceptible to man-in-the-middle attacks, in which an intruder captures packets between the client computer and the server, modifies the packets, and then forwards them to the server. When this behavior occurs on an LDAP server, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client.
Consider enhancing the security of your domain controllers by configuring them to reject simple LDAP bind requests and other bind requests that do not include LDAP signing.