爱听歌的风衣 · C#: Validate a ...· 10 小时前 · |
被表白的罐头 · 将两个numpy.ndarray数据转组合成 ...· 1 周前 · |
傻傻的香烟 · C# EXCEL 透视表使用 ...· 7 月前 · |
刚毅的长颈鹿 · 插件修复数据_指南 | ...· 1 年前 · |
重情义的电池 · performance - ...· 1 年前 · |
网络安全 事件记录 bind ldap |
https://learn.microsoft.com/zh-cn/troubleshoot/windows-server/active-directory/enable-ldap-signing-in-windows-server |
玩足球的莴苣
2 月前 |
本文介绍如何在 Windows Server 2022、Windows Server 2019、Windows Server 2016、Windows Server 2012 R2、Windows 10 和 Windows 11 中启用 LDAP 签名。
原始 KB 编号: 935834
通过将服务器配置为拒绝不请求签名(完整性验证)的简单身份验证和安全层 (SASL) LDAP 绑定,或者拒绝在明文(非 SSL/TLS 加密)连接上执行的 LDAP 简单绑定,可以显著提高目录服务器的安全性。 SASL 绑定可能包括 Negotiate、Kerberos、NTLM 和 Digest 等协议。
未经签名的网络通信容易受到重放攻击。 在此类攻击中,入侵者截获身份验证尝试和票证的签发。 入侵者可以重复使用票证来模仿合法用户。 此外,未经签名的网络通信容易受到中间人 (MIM) 攻击,入侵者可以捕获客户端和服务器之间的数据包,修改数据包,然后将它们转发到服务器。 当这发生在 LDAP 服务器上时,攻击者会导致服务器根据来自 LDAP 客户端的伪造请求而进行决策。
进行此配置更改后,依赖于未经签名的 SASL (Negotiate、Kerberos、NTLM 或 Digest) LDAP 绑定或非 SSL/TLS 连接上的 LDAP 简单绑定的客户端将停止运行。 为了帮助识别这些客户端,Active Directory 域服务 (AD DS) 或轻型目录服务器 (LDS) 的目录服务器每 24 小时记录一次摘要事件 ID 2887,以指示发生此类绑定的数量。 建议将这些客户端配置为不使用此类绑定。 在长时间未观察到此类事件后,建议将服务器配置为拒绝此类绑定。
如果必须有更多信息来标识此类客户端,则可以将目录服务器配置为提供更详细的日志。 当客户端尝试进行未经签名的 LDAP 绑定时,此额外的日志记录将记录事件 ID 2889。 日志条目显示客户端的 IP 地址以及客户端尝试用于身份验证的标识。 可以通过将“16 LDAP 接口事件” 诊断设置设置为“2(基本)” 来启用此附加日志记录。 有关如何更改诊断设置的详细信息,请参阅 如何配置 Active Directory 和 LDS 诊断事件日志记录 。
如果目录服务器配置为拒绝未经签名的 SASL LDAP 绑定或非 SSL/TLS 连接上的 LDAP 简单绑定,则当此类绑定尝试发生时,目录服务器每 24 小时记录一次摘要事件 ID 2888。
有关更改安全设置可能产生的影响的信息,请参阅 如果更改安全设置和用户权限分配,可能会出现客户端、服务和程序问题 。
请仔细遵循本部分中的步骤进行操作。 对注册表修改不当可能会导致严重问题。 修改之前, 备份注册表以便在发生问题时进行还原 。
默认情况下,对于 Active Directory 轻型目录服务 (AD LDS),注册表项不可用。 因此,必须在以下注册表子项下创建 REG_DWORD 类型的
LDAPServerIntegrity
注册表项:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<InstanceName>\Parameters
占位符
<InstanceName>
表示要更改的 AD LDS 实例的名称。
注册表项具有以下可能的值:
0 :签名已禁用。 2 :启用签名。更改此值时,新值将立即生效。 无需重新启动计算机。
登录到安装了 AD DS 管理工具的计算机。
依次选择“开始” >、“运行” ,键入“ldp.exe” ,然后选择“确定” 。
选择“连接” >“连接” 。
在“服务器” 和“端口” 中,键入目录服务器的服务器名称和非 SSL/TLS 端口,然后选择“确定” 。
对于 Active Directory 域控制器,适用的端口为 389。
创建连接后,选择“连接” >“绑定” 。
在“绑定类型” 下,选择“简单绑定” 。
输入用户和密码,然后选择“确定” 。
如果收到以下错误消息,则已成功配置目录服务器:
Ldap_simple_bind_s() 失败:需要强身份验证
启动 DS 服务后,会记录事件 ID 2886,以提醒管理员启用签名要求:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Event ID: 2886
Task Category: LDAP Interface
Level: Warning
Keywords: Classic
Description:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds.
For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
事件 ID 2887
如果检测到问题客户端但允许,则会记录过去 24 小时的摘要事件 (事件 ID 2887) :
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Event ID: 2887
Task Category: LDAP Interface
Level: Warning
Keywords: Classic
Description:
During the previous 24 hour period, some clients attempted to perform LDAP binds that were either:
(1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or
(2) A LDAP simple bind that was performed on a clear text (non-SSL/TLS-encrypted) connection
This directory server is not currently configured to reject such binds. The security of this directory server can be significantly enhanced by configuring the server to reject such binds. For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
Summary information on the number of these binds received within the past 24 hours is below.
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
Number of simple binds performed without SSL/TLS: <count of binds>
Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: <count of binds>
事件 ID 2888
当问题客户端被拒绝时,将记录过去 24 小时的摘要事件 (事件 ID 2888) :
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Event ID: 2888
Task Category: LDAP Interface
Level: Information
Keywords: Classic
Description:
During the previous 24 hour period, some clients attempted to perform LDAP binds that were either:
(1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or
(2) A LDAP simple bind that was performed on a clear text (non-SSL/TLS-encrypted) connection
This directory server is configured to reject such binds. This is the recommended configuration setting, and significantly enhances the security of this server. For more details, please see http://go.microsoft.com/fwlink/?LinkID=87923.
Summary information on the number of such binds received within the past 24 hours is below.
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
Number of simple binds rejected because they were performed without SSL/TLS: <count of binds>
Number of Negotiate/Kerberos/NTLM/Digest binds rejected because they were performed without signing: <count of binds>
事件 ID 2889
当有问题的客户端尝试连接时,会记录事件 ID 2889:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Event ID: 2889
Task Category: LDAP Interface
Level: Information
Keywords: Classic
Description:
The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.
Client IP address:
<IP address>:<TCP port>
Identity the client attempted to authenticate as:
contoso\<username>
Binding Type:
0 – Simple Bind that does not support signing
1 – SASL Bind that does not use signing
ADV190023:关于启用 LDAP 通道绑定和 LDAP 签名的 Microsoft 指南
Windows 的 2020 LDAP 通道绑定和 LDAP 签名要求
Windows (KB4520412) 的 2020、2023 和 2024 LDAP 通道绑定和 LDAP 签名要求
如何配置 Active Directory 和 LDS 诊断事件日志记录