Windows 10: Secure Active Directory LDAP binding

We have On-prem Active Directory, users and applications are authenticated to access network resources.Please advise if there is a way to secure or delegate AD LDAP bind only to specific admins or service accounts. Currently anyone with valid credentials can "bind" Active Directory and traverse through OUs and see all AD information, is it possible to limit it to only Administrators and service accounts.

:)

 

Security Advisory ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing

I've been reviewing ADV190023 (which seems to indicate that insecure LDAP binds will no longer be permitted in Active Directory after January 2020). I made the changes to the Windows Registry on my Domain Controllers to get detailed logging information about
applications/computers performing either simple LDAP binds or unsigned SASL binds.

I found that the vast majority of the Event log entries were for OSX computers which were bound to AD and performing unsigned SASL binds. These generated Event ID 2889 in the Directory Service log. By my reading of the Security Advisory, unsigned SASL binds
will no longer be permitted after January 2020 so I worked on making the MAC OSX machines use SSL when communicating to AD.

I made the suggested registry changes on a Test Domain Controller - those changes supposedly will not allow simple LDAP binds or unsigned SASL binds. I tried the test which was specified with LDS and a simple bind and that failed with a "requires a higher
level of security" message, which is what was expected.

However, even after configuring a MAC OSX computer to use SSL (I verified that it is using port 636 Tcp to "talk" to the DC) I am getting Event ID 2889 in the Directory Service log indicating that the MAC is still using an unsigned SASL bind. The bind/login
process works (I am able to successfully authenticate as an AD user on the MAC over SSL) but the continued error in the Event log bothers me.

key points:

1. If I make the "don't allow insecure LDAP binds" changes on the DC and don't make any changes on the MAC, I am still able to bind/authenticate to AD from the MAC. The Security Advisory seems to indicate that this should fail, but my tests don't agree. Event
ID 2889 is generated in the Directory Service Event Log.

2. If I force the MAC to use SSL to talk to AD (after making the "don't allow insecure LDAP binds" change on the DC) I am able to bind/authenticate to AD from the MAC and I still get the 2889 entry in the DS Event Log. There doesn't seem to be any change
in behavior from the Windows side.

Am I mis-reading the Security Advisory? Or is there some other change (other than the three registry changes outlined in the Security Advisory) that need to happen on the DC? I would like this to be a non-issue when Microsoft pushes this change out in January.

 

Security update - 2020 LDAP channel binding and LDAP signing requirement for Windows

I have a question related to the security update (2020 LDAP channel binding and LDAP signing requirement for Windows) described

in https://support.microsoft.com/en-us...ding-and-ldap-signing-requirement-for-windows

Is there a way to configure the domain controller, so that even if secure binding becomes enabled by default, application servers (sending the windows credentials to domain controller) can override that in some way to support simple binding?

 

Security update - 2020 LDAP channel binding and LDAP signing requirement for Windows

Hi AntoniosIM,

This will not be supported, please read the article below:

https://techcommunity.microsoft.com/t5/core-inf...

If LDAP Channel Binding is enabled, Simple Binding will not be allowed.

I hope this answers your question.