Hardening LDAP in Server 2016 Essentials

If you run a fully patched Windows Server Essentials 2016, you’ve probably been seeing this event in your daily Health Report since around March 2020:

LDAP 1

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Event ID:      3041
Task Category: LDAP Interface
Level:         Warning
Description:
The security of this directory server can be significantly enhanced by configuring the server to enforce  validation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections. Even if  no clients are issuing LDAP bind requests over LDAPS, configuring the server to validate Channel Binding  Tokens will improve the security of this server. For more details and information on how to make this configuration change to the server, please see https://go.microsoft.com/fwlink/?linkid=2102405.

This is best explained in KB article 4520412. That article includes descriptions of new events.

There are two group policy changes and a registry change. I’m making the group policy changes in the existing Domain Controllers > Default Domain Controllers Policy GPO. [Edit 6/5/2023:  moving this to its own GPO, still applied only to the Domain Controllers OU, to make it easier to copy to new domains that I configure.] The path for both policies  is Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options. I’m making the following changes for now:

  1. In that group policy path, change “Domain controller: LDAP server signing requirements” from None to Require Signing.
  2. In the same group policy path, change “Domain controller: LDAP server channel binding token requirements” from Undefined (= Never) to Defined and “When Supported”
  3. In the registry, change “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\16 LDAP Interface Events” (logging level) from 0 to 2. This can also be set in the Group Policy under Computer Configuration > Preferences > Windows Settings > Registry, which nicely keeps all of these settings together in one GPO.

The last one—increasing the logging level—is important as it should allow identifying any clients that are attempting “to bind without a valid CBT” (event 3039). The binding should still be allowed since #2 is set to “When Supported”.

Once I’ve identified and remedied unsuccessful LDAP connections, I should be able to change #2 to “Always”.

Update July 31, 2020

One day later, I’m seeing several 1216 events like this:

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 7/31/2020 2:15:29 AM
Event ID: 1216
Task Category: LDAP Interface
Level: Warning
Description:
Internal event: An LDAP client connection was closed because of an error.
Client IP:
[::1]:53936
Additional Data
Error value:
1236 The network connection was aborted by the local system.
Internal ID:
c060420

MSKB 246717 is not an exact match, but it sounds like those events are just showing up because I increased the logging level, not because of tighter LDAP security. To be sure, I’m going to temporarily set server signing back to “None” (option 1 above).

Update August 1, 2020

As expected, even with LDAP signing set to None, the 1216 events continue. So they are unrelated to the signing requirement and solely a byproduct of the increased logging level. Setting signing back to Require Signing.

Update August 8, 2020

The only warning/error events I’m seeing in the Directory Service log are the 1216s. However with the increased logging, that 1MB event log is only storing about one day’s worth of events. Increasing the Directory Service event log to 10MB.

Update August 17, 2020

No warnings or error in the event log other than the 1216s mentioned above. I’m changing signing to Always. If no new errors appear in the event log in a few days, I’ll reduce the logging level back to 0.

2 thoughts on “Hardening LDAP in Server 2016 Essentials

  1. Steve

    RE” change “Domain controller: LDAP server channel binding token requirements” from Undefined (= Never) to Defined and “When Supported”

    I don’t think there is a need to change to “When Supported”, according to the GPO entry:
    Default: This policy is not defined, which has the same effect as When Supported.

    Despite setting 15 LDAP Interface Events to “2”, I’ve never had a single hit for Event ID 3039,3040 and 3041

    Event ID 3039: Triggered when a client attempts to bind without valid CBT (channel binding token) – client performed an LDAP bind over SSL/TLS and failed the LDAP token validation.
    This event ID (3039) will also display which IP address and Account that are making these requests.
    Event ID: 3040: Triggered (every 24h by default) when CBT (channel binding token) group policy is set to ‘Never’ and at least one unprotected bind was completed
    Event ID 3041: Upon startup or start of service, when the CBT group policy is set to ‘Never’

  2. Mark Berry Post author

    Steve, you may be right about When Supported, though when I’m making changes, I generally prefer explicit policies for documentation purposes. As noted in my August 17, 2020 update above, I eventually changed “Domain controller: LDAP server channel binding token requirements” to Always.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.