LDAP Signing

Written by Donald Ross

Lab geek, Pi lover and retro arcade machine builder.

18th March 2020

< 1 min read

In Microsoft’s March update for Windows, administrative options have been added in the Registry to improve security for LDAP. Currently by default, the server accepts unsigned Simple Authentication and Security Layer (SASL) LDAP binds and clear-text simple binds.

Allowing these binds can make your network vulnerable as they can be exploited by man-in-the-middle and replay attacks. During an attack a malicious actor can intercept and retransmit packets in order to forge LDAP requests.

Microsoft recommends configuring the LDAP server to reject unsigned binds and simple binds as part of their best practices. This will help secure your network against attacks.


Check Out These Related Posts


Submit a Comment

Your email address will not be published. Required fields are marked *