In Microsoft’s March update for Windows, administrative options have been added in the Registry to improve security for LDAP. Currently by default, the server accepts unsigned Simple Authentication and Security Layer (SASL) LDAP binds and clear-text simple binds.
Allowing these binds can make your network vulnerable as they can be exploited by man-in-the-middle and replay attacks. During an attack a malicious actor can intercept and retransmit packets in order to forge LDAP requests.
Microsoft recommends configuring the LDAP server to reject unsigned binds and simple binds as part of their best practices. This will help secure your network against attacks.
0 Comments