[Forgot Password]
Login  Register Subscribe

23631

 
 

126998

 
 

102010

 
 

909

 
 

80911

 
 

121

Paid content will be excluded from the download.


Download | Alert*
CCE
view XML

CCE-46228-3

Platform: win2016Date: (C)2017-08-03   (M)2018-01-30



"Domain controller: LDAP server signing requirements" This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. Vulnerability: Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client, modifies them, and then forwards them to the client. Where LDAP servers are concerned, an attacker could cause a client to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. Also, you could implement Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks extremely difficult. Counter Measure: Configure the Domain controller: LDAP server signing requirements setting to Require signature. Potential Impact: Clients that do not support LDAP signing will be unable to run LDAP queries against the domain controllers. All Windows 2000 -based computers in your organization that are managed from Windows Server 2003 -based or Windows XP -based computers and that use Windows NT Challenge/Response (NTLM) authentication must have Windows 2000 Service Pack 3 (SP3) installed. Alternatively, these clients must have a registry change. For information about this registry change, see article "Windows 2000 domain controllers require SP3 or later when using Windows Server 2003 administration tools" (http://support.microsoft.com/en-us/kb/325465). Also, some non-Microsoft operating systems do not support LDAP signing. If you enable this policy setting, client computers that use those operating systems may be unable to access domain resources.


Parameter: ldapserverintegrity


Technical Mechanism: Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options (2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters!ldapserverintegrity

References:

Resource IdReference
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:40205


OVAL    1
oval:org.secpod.oval:def:40205
XCCDF    2
xccdf_org.secpod_benchmark_general_Windows_Server_2016
xccdf_org.secpod_benchmark_HIPAA_45CFR_164_Windows_Server_2016

© 2013 SecPod Technologies