H3-2025-0074
LDAP Channel Binding Not Required
| Category | SECURITY_MISCONFIGURATION |
| Base Score | 1.0 |
Description
The LDAPS (LDAP over SSL/TLS) service on this host is configured to not require LDAP channel binding. LDAP channel binding is a security feature that ties LDAP authentication to the specific TLS session, preventing man-in-the-middle relay attacks even when LDAPS is in use. Channel binding ensures that the NTLM authentication cannot be relayed to another server by verifying that the TLS channel matches between the client and server. Without channel binding enforcement, an attacker can perform NTLM relay attacks against LDAPS by intercepting authentication and replaying it to the legitimate server, even though the connection is encrypted.
Impact
Exploiting this misconfiguration allows an attacker to perform NTLM relay attacks against LDAPS services. An attacker positioned on the network can coerce authentication from victim machines, intercept the NTLM authentication handshake, and relay it to LDAPS on a Domain Controller. This can result in unauthorized actions being performed with the victim's privileges, including creating machine accounts, modifying directory objects, and potentially achieving domain privilege escalation.
References
- Domain controller: LDAP server channel binding token requirements
- Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over SSL/TLS more secure
- 2020 LDAP channel binding and LDAP signing requirements for Windows
- ADV190023 - Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
- MITRE ATT&CK Technique: T1557.001: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
- MITRE ATT&CK Technique: T1187: Forced Authentication