H3-2025-0073
LDAP Signing Not Required
| Category | SECURITY_MISCONFIGURATION |
| Base Score | 1.0 |
Description
The LDAP service on this host is configured to not require LDAP signing. LDAP signing is a security feature designed to ensure the integrity and authenticity of LDAP communications by digitally signing packets. The lack of mandatory LDAP signing means that LDAP communications are not protected against tampering. An attacker could exploit this misconfiguration by performing man-in-the-middle attacks, where they intercept, alter, and relay LDAP messages between the client and server without detection.
Impact
Exploiting this misconfiguration allows an attacker to potentially intercept sensitive information, modify data in transit, and impersonate legitimate users or services within your network. This can lead to attackers gaining domain account privileges, creating machine accounts, and performing unauthorized directory operations through NTLM relay attacks.
References
- Domain controller: LDAP server signing requirements
- How to enable LDAP signing in Windows Server
- 2020 LDAP channel binding and LDAP signing requirements for Windows
- MITRE ATT&CK Technique: T1557.001: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
- MITRE ATT&CK Technique: T1187: Forced Authentication