This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. Vulnerability: Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client, modifies them, and then forwards them to the client. Where LDAP servers are concerned, an attacker could cause a client to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. Also, you could implement Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks extremely difficult. Counter Measure: Configure the Domain controller: LDAP server signing requirements setting to Require signature. Potential Impact: Clients that do not support LDAP signing will be unable to run LDAP queries against the domain controllers. All Windows 2000 -based computers in your organization that are managed from Windows Server 2003 -based or Windows XP -based computers and that use Windows NT Challenge/Response (NTLM) authentication must have Windows 2000 Service Pack 3 (SP3) installed. Alternatively, these clients must have a registry change. For information about this registry change, see article "Windows 2000 domain controllers require SP3 or later when using Windows Server 2003 administration tools" (http://support.microsoft.com/en-us/kb/325465). Also, some non-Microsoft operating systems do not support LDAP signing. If you enable this policy setting, client computers that use those operating systems may be unable to access domain resources. Fix: (1) GPO: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain controller: LDAP server signing requirements (2) REG: HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNTDSParameters!ldapserverintegrity

[none/require_signing]

(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain controller: LDAP server signing requirements (2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters!ldapserverintegrity