Detections
Analytics
2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher
Information
This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests.The recommended state for this setting is: Negotiate signing . Configuring this setting to Require signing also conforms to the Benchmark.
Note: This policy setting does not have any impact on LDAP simple bind ( ldap_simple_bind ) or LDAP simple bind through SSL ( ldap_simple_bind_s ). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller.
Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that a threat actor could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk a network, implement strong physical security measures to protect the network infrastructure. Also, this can make all types of man-in-the-middle attacks extremely difficult if require digital signatures on all network packets by means of IPsec authentication headers is required.
Solution
To establish the recommended configuration via GP, set the following UI path to Negotiate signing or Require signing :Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LDAP client signing requirements
Impact:
None - this is the default behavior.
However, if the option to require LDAP signatures tis selected, then the client must also be configured. If the client is not configured, it will not be able to communicate with the server, which could cause many features to fail, including user authentication, Group Policy, and logon scripts, because the caller will be told that the LDAP BIND command request failed.
See Also
Item Details
Audit Name: CIS Microsoft Windows 11 Enterprise v5.0.1 L1
Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|12.5
Plugin: Windows
Control ID: 2630dc4973a0bfe6f02eac8e647730e2e1eebb21d3315a026233168f2412cc83