• United States



Contributing Writer

How to fix insecure LDAP binds to prevent exposed Windows admin credentials

Jan 08, 20204 mins
AuthenticationNetwork SecuritySecurity

Although Microsoft has a permanent fix on the way, it's possible that you're exposing domain admin account credentials in cleartext. Here's how to check for and solve that problem.

Windows logo / life preserver / rescue / recovery / fix / resolve / solution
Credit: PaulFleet / Getty Images / Microsoft

First the good news: Microsoft planned to release a patch in January to disable insecure LDAP channel binding and LDAP signing to more secure configurations. As a result of businesses asking for more time due to the holiday season, Microsoft has pushed this off to March 2020. Now the bad news: You may be already passing the credentials for the domain admin account in cleartext in your network as noted in a 2016 blog post.

How do you know? Start by looking for event ID 2886 and 2887 in your directory service log. If event ID 2886 is present, it indicates that LDAP signing is not being enforced by your domain controller. What’s so bad about this? Plenty. It means that it’s possible to perform a cleartext LDAP bind over a non-encrypted connection.

bradley ldap 1 Susan Bradley

Review domain controller logs for event 2886.

If you see event 2886, you need to take immediate action to remedy the situation. Review your Group Policy or registry settings on your domain controllers. If you’ve never configured the option “Domain controller: LDAP server signing requirements” and still have them set as none, chances are this LDAP configuration is opening you up to risky configurations.

Review your group policy setting located at GPO_nameComputer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options.

bradley ldap 2 Susan Bradley

Review your LDAP signing policy

Especially if you are running a domain based on older servers and participating in the extended support patch process and will obtain Server 2008 R2 patches, review this Group Policy setting and change it to “Require signing”.

bradley ldap 3 Susan Bradley

Review the Goup Policy settings for LDAP signing.

Check for unsigned, cleartext binds

Obviously before you do so, determine the impact on your network. As noted in the blog post, look for event ID 2887. It normally occurs every 24 hours and reports how many unsigned and cleartext binds have occurred to the domain controller in question.

If you have a single unsigned and cleartext bind occurring, you need to take action. You can increase the logging of these events to review if you are impacted. Keep in mind that more logging will turn on a great number of events and may also enable errors in the log file that might seem alarming. Don’t worry; these events are normal. It’s recommended to enable additional logging only for a few minutes and then disable the logging afterwards. Here are the changes to the registry keys you need to make to increase logging:

# Enable Simple LDAP Bind Logging

Reg Add HKLMSYSTEMCurrentControlSetServicesNTDSDiagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2

# Disable Simple LDAP Bind Logging.

Reg Add HKLMSYSTEMCurrentControlSetServicesNTDSDiagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 0

Note: You may need replace the double quotes after copy and paste.

You are looking for 2889 events. You can also download from GitHub a filtered view. To use the .xml file, open “Event viewer”, right-click on “Custom views” and then select “Import Custom View”. Browse to the location of the .xml file. If you are doing this on a management workstation or server and not the domain controller, you will get an error message until you bind it to your domain controller.

You can also download a PowerShell script from GitHub that will extract the data from event 2889 on your domain controller into a .csv file. It will only query for events in the last 24 hours.

.Query-InsecureLDAPBinds.ps1 -ComputerName -Hours 24

You can also follow the advice in two blog posts. The first goes through the process of setting up additional logging to you can review if you have insecure LDAP bindings occurring:

bradley ldap 4 Susan Bradley

Enable additional logging.

Wait 24 hours and look for event 2889 every time a client performs Simple Authentication and Security Layer (SASL) bind without requesting signing or simple bind on cleartext. This will identify what applications or platforms you need to upgrade or fix to support insecure bindings.

Once you determine that you have insecure bindings, fix this issue by reviewing if you can enable secure connections or secure bind on a checkbox inside the applications config. You can also go back to the vendor that you purchased the LDAP-reliant application from to see if they can provide a more secure way to access LDAP queries. If you need to enable secure binding, you can do so with internal SSL certificates as noted in this blog.

As you go through your end-of-year inventory, review if you have insecure setups in your active directory infrastructure. Don’t be leaking credentials in your network.

Don’t forget to sign up for TechTalk from IDG’s YouTube channel for tech news of the day. Start off 2020 right by reviewing what you missed in 2019.

Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for, is a moderator on the listserve, and writes a column of Windows security tips for In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author