Network Security Systems Plus
Home About Security Services Security Technoligies Partners Support Contact
White Papers
Knowledge Base
Download
 
 Support / White Papers
NSSPlus WHITE PAPER: Lightweight Directory Access Protocol NSSPlus WHITE PAPER: Lightweight Directory Access Protocol
   (LDAP) Signing Configuration
   by Kwame A. Thomas, CISSP

Overview
The purpose of this white paper is to discuss the security issues associated with lowering a Domain controller's Lightweight Directory Access Protocol (LDAP) data signing policy, from "Require Signing" to "None".

Analysis and Findings
The "Domain controller: LDAP server signing requirements" policy determines whether an LDAP server requires LDAP clients to negotiate data signing. Data signing protects LDAP traffic from being exposed to man-in-the-middle attacks, in which packets sent between server and client are captured, modified and then forwarded to the server. Configuring the LDAP signing setting to "None" will result in any LDAP traffic initiated by the Domain controller, to be transmitted unsigned to any another Domain controller or client, thereby elevating the risk of attacks.

Related to this issue: While LDAP signing on the client side may be enabled by itself, through the use of the local computer policy "Network security: LDAP client signing requirements", it may be problematic in terms of authentication to an LDAP server. The policy "Network security: LDAP client signing requirements" references the "bind" request process; binding is the operation of identifying and authenticating to an LDAP server. A "bind" request may fail if a client that requires data signing is attempting to "bind" to an LDAP server that does not have the "Domain controller LDAP server signing requirements" policy enforced. In such a situation, the server may issue a challenge response (saslBindInProgress) indicating that data signing is not required - thereby causing the "bind" process to fail (referencing Microsoft Article ID# 823659.)

Summary
If LDAP traffic is not being sent with the use of Transport Layer Security/Secure Sockets Layer (TLS/SSL), then allowing any unsigned LDAP communication between Domain controllers and clients increases the risk of exposure to man-in-the-middle attacks. Furthermore, to avoid any authentication issues, Domain controllers and clients should also have synchronized data signing requirements.

Property of Network Security Systems Plus (NSSPlus), LLC
 
Internet / Network Security
  Information Assurance Information Assurance
  Certification / Accreditation Certification/Accreditation
  Compliance Compliance
  Training Training
  Vulnerability Assessment Vulnerability Assessment
  Defense in Depth Defense in Depth
  Forensics Forensics
     
Related Topics
        Related Topics
COPYRIGHT BY NETWORK SECURITY SYSTEMS PLUS, LLC 2000-2005     DEVELOPED BY VOXUNITY