Lightweight Directory Access Process (LDAP) is a user authentication process developed for directory services. This protocol is usually used by applications for searching resource information such as users and different system components. LDAP identifies a client’s properties with servers such as Active Directory, OpenLDAP, and Open DJ. It was first introduced in 1993 and since 1997 LDAP 3rd version is the Internet standard for directory services. LDAP configuration is important for security hardening and compliance.
In the common scenario, the client is a system or application requesting information access from a database in an LDAP server. The LDAP database can store not only usernames and passwords but other attributes such as an address, phone number, and other core user identities therefore LDAP configuration should be managed and enforced.
This blog post will cover:
- what is LDAP authentication configuration?
- what is LDAP channel binding configuration?
- what is LDAP signing configuration?
- how to enable LDAP signing?
- LDAP signing and channel binding requirements.
- How to configure LDAP for max security hardening.
What is LDAP authentication (LDAP simple bind)?
A good example to understand LDAP authentication is when an employee wants to connect the organizational network. Since most operations, in this case, will be when the employee is logging in the network, the most frequently used function will be ‘read’. The LDAP protocol is designed to handle an enormous amount of read operations.
There are two main components in the LDAP authentication mechanism:
- LDAP Directory Server Setup – where the employee profile details are stored (username and password in this case).
- LDAP client – the employee’s computer. It should have an LDAP client option setup. If the employee is going to authenticate through a web application, then the server hosting the application must be configured with an LDAP client.
LDAP authentication process has two stages:
- Identifying the user’s directory attribute – The user entry is identified by its distinguished name (DN), which is the path to its details. In the first stage of the authentication, the user must obtain its DN and password. The user name usually requested in the login form is used to find the user’s DN. A function called DN Resolution takes the user name (or email in some cases) and runs a search to find all the user entries to find his DN. Once the correct user DN is resolved, the next step is to validate the user’s password.
- Password validation – The user’s password is checked by a command called ‘bind’. The LDAP directory server receives a request to authenticate the user bypassing its DN and password. If the credentials are correct, the directory server returns success, and the connection is established.
What is LDAP channel binding?
When talking about channel binding it is usually referred to as binding the transport layer to the application layer.
LDAP channel binding is a method developed to increase security in communication with Active Directory (AD). LDAP channel binding lowers the chances for replay and man-in-the-middle attacks. The binding is between the LDAP application layer and the TLS tunnel. Binding these two will create a unique LDAP communication fingerprint. This unique fingerprint is important for security hardening since any interference to the communication will affect the fingerprint and can be detected.
Using LdapEnforceChannelBinding for LDAP TLS channel binding configuration:
The first step in the process is to install the security update – CVE-2017-8563. Then, create the LdapEnforceChannelBindings registry entry. Note – Modifying the registry incorrectly will cause severe damage. Make sure you know what you’re doing before modifying it and consider backing up the registry before for extra precaution. These are the paths for changing the registry settings:
For Active Directory Domain Services:
For Active Directory Lightweight Directory servers:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<LDS instance name>\Parameters
DWORD value 0 = channel binding is disabled.
DWORD value 1 = channel binding is enabled, but clients using Windows that have not been updated to support channel binding, do not have to do so.
DWORD value 2 = channel binding is always enabled. All clients must support channel binding.
What is LDAP signing?
LDAP signing is also a way to increase LDAP security hardening. The signing process refers to a digital signing of the LDAP traffic that is done by the traffic source (client). LDAP signing blocks attackers from altering the LDAP traffic during transit (like in Reply and Man-in-the-Middle attacks). Using LDAP signing guarantees information integrity and enables verification of the source of the information. You must configure both the Domain Controllers and clients to enable LDAP signing for it to work.
LDAP signing is a feature of the Simple Authentication and Security Layer (SASL). SASL provides several mechanisms to increase the security of an LDAP connection, including user authentication, anti-tampering (message signing), and confidentiality (encryption). SASL is a communication layer that operates within LDAP on the default AD data ports (TCP port 389 and TCP port 3268)
How to Enable LDAP Signing configuration:
For enabling LDAP signing in the server and the client you can either use Group Policy Object (GPO) or a registry key.
How to configure a server LDAP signing GPO:
- Go to ‘Default Domain Controller Policy’ > ‘Computer Configuration’ > ‘Policies’ > ‘Windows Settings’ > ‘Security Settings’ > ‘Local Policies’, and then select ‘Security Options’.
- Right-click ‘Domain controller: LDAP server signing requirements’, and select Properties.
- Enable ‘Define this policy setting’, select ‘Require signing’ in the ‘Define this policy setting list’, and then select OK.
How to configure LDAP Singing at a client’s local computer policy:
- Go to ‘Local Computer Policy’ > ‘Computer Configuration’ > ‘Policies’ > ‘Windows Settings’ > ‘Security Settings’ > ‘Local Policies’ and select ‘Security Options’.
- Right-click ‘Network security: LDAP client signing requirements’ and select ‘Properties’.
- In the dialog box, select ‘Require signing’ in the list, and then select OK.
How to configure a server LDAP signing using a registry key:
Note! We recommend backing up your registry before pushing any changes, as mistakes can have devastating results.
You need to create an LDAPServerIntegrity registry entry of the REG_DWORD type under the following registry subkey:
*instance name= the name of the AD LDS you want to configure.
LDAP Signing and LDAP Channel binding requirements:
At the end of 2019, Microsoft released a note saying that from March 2020, enabling LDAP signing and channel binding will be a part of LDAP policy. The goal for this move was to increase LDAP communication security, but the chances for organizations to completely comply with this update were low. Therefore, Microsoft decided to postpone the update (and never set a new date for the update):
“Important The March 10, 2020, and updates in the foreseeable future will not make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers.”
How to configure domain controller for max LDAP security hardening:
To improve the security of your directory server you can implement several configuration rules. These rules are best practices, and recommended also by the Center for Internet Security (CIS):
- Ensure ‘LDAP server signing requirements’ is set to ‘Require signing’. – This policy setting will make clients use data signing.
- Ensure ‘Extended Protection for LDAP Authentication (Domain Controllers only)’ is set to ‘Enabled: Enabled (recommended: always) – this setting controls LDAP authentication over SSL/TLS.
- Ensure ‘Network security: LDAP client signing requirements’ is set to ‘Negotiate signing’ or higher – this policy sets the level of signing requested by the client who issues LDAP request.
LDAP configuration and the MITRE ATT&CK framework
Configuring LDAP for optimal security is a recommended best practice by the MITRE ATT&CK framework stating few techniques and mitigations
T1087– Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges. Commands such as
net user /domain and
net group /domain of the Net utility,
dscacheutil -q groupon macOS, and
ldapsearch on Linux can list domain users and groups. PowerShell cmdlets including
Get-ADGroupMember may enumerate members of Active Directory groups.
T1482- MITRE ATTACK framework clasify LDAP configuration settings under the technique- Domain Trust Discovery– , stating that Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts can be enumerated using LDAP. the Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.
Changing configurations as part of server hardening is critical for security but may cause severe damage. We strongly recommend using automation to prevent any possible outages in your production. The alternative for automation is using manual tools (GPO for example), testing the impact of the change in a lab environment, and hoping you covered all possible scenarios. By using automation in hardening, you will not be needing to test. You will get a full impact report to help you make the best decision for both security and operations. To find out more about hardening automation, continue your reading here.