Look at your DC Event log for Event ID 2886 and 2887 in your Directory Service log.
If Event ID
2886 is logged, it indicates that LDAP signing is not being enforced by your
DC!
The second
Event ID 2887 occurs every 24 hours and will report how many unsigned / clear
text binds has occurred to your DC.
How do we
get the systems that performing such binds?
We need to
set our logging, so we can get a new Event with the ID 2889 logged. With that
event we can see the IPs and accounts that are binding insecurely.
Set Simple
LDAP Bind Logging:
Set-ItemProperty
-Path 'HKLM:SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics' -Name '16 LDAP
Interface Events' -Value "2"
Later use
this PS command to disable Simple LDAP Bind Logging:
Set-ItemProperty
-Path 'HKLM:SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics' -Name '16 LDAP
Interface Events' -Value "0"
After
enabling, we can see the event in our Directory Services log.
To get an
overview about that events you can use the following script:
Query-InsecureLDAPBinds.ps1
Just change the last part to only get unique entries:
$InsecureLDAPBinds | Sort-Object -Unique -Property User,Ipaddress| Export-CSV -NoTypeInformation .\InsecureLDAPBinds.csv
Just change the last part to only get unique entries:
$InsecureLDAPBinds | Sort-Object -Unique -Property User,Ipaddress| Export-CSV -NoTypeInformation .\InsecureLDAPBinds.csv
The script
exports a CSV from the specified domain controller containing all unsigned and
Clear-text LDAP binds made to the DC by extracting Event 2889 from the
"Directory Services" event log.
Example
execution to get all insecure binds happening in the last 24 hours for DC01:
.\Query-InsecureLDAPBinds.ps1
-computername DC01 -Hours 24
The output
.CSV will include IP Addresses, Ports, Username and the binding type.
"IPAddress","Port","User","BindType"
"10.120.0.88","60966","TIM\ldapuser","Simple"
"10.120.1.110","65445","TIM\ldapuser2","Simple"
