|Platform: win2016||Date: (C)2017-08-03 (M)2018-11-15|
"Network security: LDAP client signing requirements"
This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests, as follows:
- None. The LDAP BIND request is issued with the caller-specified options.
- Negotiate signing. If Transport Layer Security/Secure Sockets Layer (TLS/SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the caller-specified options. If TLS/SSL has been started, the LDAP BIND request is initiated with the caller-specified options.
- Require signature. This level is the same as Negotiate signing. However, if the LDAP server's intermediate saslBindInProgress response does not indicate that LDAP traffic signing is required, the caller is told that the LDAP BIND command request failed.
Note: This policy setting does not have any impact on ldap_simple_bind or ldap_simple_bind_s. No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a domain controller.
The possible values for the Network security: LDAP client signing requirements setting are:
- Negotiate signing
- Require signature
- Not Defined
Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers.
Configure the Network Security: LDAP server signing requirements setting to Require signature.
If you configure the server to require LDAP signatures you must also configure the client. If you do not configure the client it will not be able to communicate with the server, which could cause many features to fail, including user authentication, Group Policy, and logon scripts.
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
(2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP!LDAPClientIntegrity
|SCAP Repo OVAL Definition||oval:org.secpod.oval:def:40291|