Secure LDAP
In an on-prem AD environment, there can be applications or services that require integration with AD. An AD-integrated application or service can query for AD users, authenticate, modify objects, and so on. This integration process is usually done using the Lightweight Directory Access Protocol (LDAP). By default, this LDAP connection between the client (application, service) and server (domain controller) is not encrypted. With this default configuration, a man-in-the-middle attacker can capture packets between the LDAP client and server, modify them, and then send the modified packets back to the server.
The LDAP server will not see the difference and reply to these forged requests with a decision. Microsoft is well aware of this vulnerability.
On August 13, 2019, Microsoft released a security advisory report, recommending to enable LDAP channel bindingĀ andĀ LDAP signing to the LDAP client and server. For more information, refer to https://bit.ly/3CRmr0B...