20 years ago, I embarked on the fantastical journey that was migrating from NT4 to Active Directory. This is also when I began learning the power of LDAP. While it was technically available, very few companies implemented secure LDAP in the early days. Most enterprise applications or internal applications took advantage of the directory (and in a wide variety of ways), but unfortunately, many of us focused on the “make it work” philosophy, rather than “make it secure”.
Today, the idea of applications communicating over nonsecure channels is unthinkable to most. For the last 5-7 years, companies have been trying to put the genie of non-secured LDAP communication back in the bottle we opened at the dawn of Active Directory. The challenge is daunting because no one understands what siloed groups, applications, integrations, or teams are using the directory, how they use it, the frequency, and most importantly if their traffic is secure or not secure. While there are ways to audit LDAP traffic, it is rarely used due to performance reasons. As a result, organizations are blind to the problem as it has rapidly spread unchecked like weeds in a garden.
In March 2020, Microsoft will release a patch to require LDAP channel binding by default. This change is to improve the security of network communications. When network traffic is sent with no signing, encryption, or network verification, it can be leveraged by an attacker to perform a man-in-the-middle attack.
Yes, the genie will be back in the bottle! It’s just like when flash support was removed from browsers or Google Chrome began shaming websites for not using TLS. Admins are in a panic about being forced to rapidly fix a problem we let fester for far too long. Our fear is justifiable as we are all concerned about how this will impact the business because essentially, we don’t know what is going to break.
For those old enough, you may be having flashbacks of Y2K all over again. Luckily, Microsoft did provide some assistance to prepare for this change that allows you to detect non-signed LDAP binds via Event ID 2886. When configured, a Domain Controller will indicate how many unsigned binds it received (every 24 hours). If you enable the diagnostic LDAP interface events, you can also get details on which clients the non-signed LDAP binds are coming from via event 2889. Event 2889 includes the client IP and account name used for the connection.
What I have learned over the last several years in helping customers audit LDAP is that the goals (while broad) often center around improved security and performance:
What really made the difference was the ability to show a customer the details of LDAP queries performed. The reason this is so valuable is because seeing what is being looked up specifically and the frequency of these lookups, points them to a specific application or resource much quicker. The directory team and server/application owners easily decipher what it is based on some known behavior (e.g. the query is only ever looking for Fax numbers, therefore it’s highly likely the requestor is the company’s Fax application).
With StealthINTERCEPT for LDAP, organizations looking to audit LDAP activity can achieve the level of visibility required to answer these questions quickly and efficiently.
With little time to spare, we’d like to offer a helping hand. Regardless of whether or not you’re a Stealthbits customer, visit us and let us know if you’d like to take advantage of StealthINTERCEPT and the visibility it can provide. There’s no obligation!
Rod Simmons is VP of Product Strategy at STEALTHbits Technologies responsible for the vision and strategy of their Active Directory Management and Security solutions. Rod has been in the technology space for over 20 years.
Prior to joining STEALTHbits, he served as Director of Product Management at BeyondTrust responsible for the Privileged Access Management products. He has also held positions leading Solution Architects and Product Managers at Quest Software and Netpro Computing Inc.
Learn why Active Directory security should be a priority for your organization and ways to mitigate against a data breach with this free white paper!Read more
Start a Free Stealthbits Trial!
No risk. No obligation.