DataSource Spotlight: Proactive Visibility of LDAP Security

DataSource Spotlight: Proactive Visibility of LDAP Security blog at LogicMonitor

At LogicMonitor, we believe our platform enables our customers to See More, Know More, and Do More, to keep up with the rapid pace of change in business today. The following is an interesting use case that illustrates how LogicMonitor can provide quick insight to enable modern IT teams to work proactively and perform at maximum operational efficiency:

In December of 2019, Microsoft published a release announcing upcoming changes to LDAP channel binding and LDAP signing requirements for domain controllers:

There is a vulnerability in the default configuration for Lightweight Directory Access Protocol (LDAP) channel binding and LDAP signing that may expose Active Directory domain controllers to elevation of privilege vulnerabilities. Microsoft Security Advisory ADV190023 addresses the issue by recommending the administrators enable LDAP channel binding and LDAP signing on Active Directory Domain Controllers. This hardening must be done manually until the release of the security update that will enable these settings by default. 

Microsoft has subsequently announced its intent to release a security update via Windows Update – to enable LDAP channel binding and LDAP signing hardening changes – and anticipates this update will be available in March 2020.

This is a good thing(!), as one Microsoft blogger puts it:

If I told you that there was a 90% plus chance that your Domain Controllers allowed receiving credentials in clear text over your network, you would probably wouldn’t believe me. If I went a step further and told you that nearly half of the customers I visit for AD security assessments not only allowed them, but had extremely privileged accounts such as Domain Admins credentials traversing the network in clear text, you would probably think “that wouldn’t happen on my network”, well that’s what they all told me too 🙂

As you’re (hopefully!) aware, good security requires preparation, and this particular change means Windows administrators will want to configure servers before the patch is deployed and applied. If you’re managing hundreds (or even dozens) of servers, identifying which resources need attention could be a time-consuming proposition. Luckily, we have a few methods to look for vulnerable domain controllers.

With that in mind, we can use the LogicMonitor platform to See and Know which resources we need to Do something about. Using available monitoring templates I came up with the LogicMonitor DataSource Win_LDAP_Binding_Security, which uses PowerShell (specifically, Get-WinEvent) to comb through the first 10,000 events of Directory Services log for the presence of events with Event IDs 2886 and 2887 and generates an alert if it finds anything. 

Which again, means:

  • If any of your Domain Controllers have the 2886 event present, it indicates that your DC is not enforcing LDAP signing, and it is possible to perform a simple (clear text) LDAP bind over a non-encrypted connection.
  • Our next port of call is the 2887 event. This event occurs every 24 hours and will report how many unsigned and clear text binds have occurred to this DC. If you have any numbers greater than zero, you have some homework to do.
LDAP Checks within LogicMonitor

By utilizing readily available platform resources and providing rapid insight and visibility into a potentially significant security vulnerability in the network, LogicMonitor enables IT teams to take quick, proactive, measures to protect their organizations, as well as those of their customers. If you want to learn more, visit the LogicMonitor Communities page, connect with your customer success manager, or attend a weekly demo to see LogicMonitor in action!