Although Microsoft has a permanent fix on the way, it's possible that you're exposing domain admin account credentials in cleartext. Here's how to check for and solve that problem. Credit: PaulFleet / Getty Images / Microsoft First the good news: Microsoft planned to release a patch in January to disable insecure LDAP channel binding and LDAP signing to more secure configurations. As a result of businesses asking for more time due to the holiday season, Microsoft has pushed this off to March 2020. Now the bad news: You may be already passing the credentials for the domain admin account in cleartext in your network as noted in a 2016 blog post.How do you know? Start by looking for event ID 2886 and 2887 in your directory service log. If event ID 2886 is present, it indicates that LDAP signing is not being enforced by your domain controller. What’s so bad about this? Plenty. It means that it’s possible to perform a cleartext LDAP bind over a non-encrypted connection. Susan BradleyReview domain controller logs for event 2886.If you see event 2886, you need to take immediate action to remedy the situation. Review your Group Policy or registry settings on your domain controllers. If you’ve never configured the option “Domain controller: LDAP server signing requirements” and still have them set as none, chances are this LDAP configuration is opening you up to risky configurations. Review your group policy setting located at GPO_nameComputer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options. Susan BradleyReview your LDAP signing policyEspecially if you are running a domain based on older servers and participating in the extended support patch process and will obtain Server 2008 R2 patches, review this Group Policy setting and change it to “Require signing”. Susan BradleyReview the Goup Policy settings for LDAP signing.Check for unsigned, cleartext bindsObviously before you do so, determine the impact on your network. As noted in the blog post, look for event ID 2887. It normally occurs every 24 hours and reports how many unsigned and cleartext binds have occurred to the domain controller in question.If you have a single unsigned and cleartext bind occurring, you need to take action. You can increase the logging of these events to review if you are impacted. Keep in mind that more logging will turn on a great number of events and may also enable errors in the log file that might seem alarming. Don’t worry; these events are normal. It’s recommended to enable additional logging only for a few minutes and then disable the logging afterwards. Here are the changes to the registry keys you need to make to increase logging:# Enable Simple LDAP Bind LoggingReg Add HKLMSYSTEMCurrentControlSetServicesNTDSDiagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2# Disable Simple LDAP Bind Logging.Reg Add HKLMSYSTEMCurrentControlSetServicesNTDSDiagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 0 Note: You may need replace the double quotes after copy and paste.You are looking for 2889 events. You can also download from GitHub a filtered view. To use the .xml file, open “Event viewer”, right-click on “Custom views” and then select “Import Custom View”. Browse to the location of the .xml file. If you are doing this on a management workstation or server and not the domain controller, you will get an error message until you bind it to your domain controller.You can also download a PowerShell script from GitHub that will extract the data from event 2889 on your domain controller into a .csv file. It will only query for events in the last 24 hours..Query-InsecureLDAPBinds.ps1 -ComputerName dc1.contoso.com -Hours 24 You can also follow the advice in two blog posts. The first goes through the process of setting up additional logging to you can review if you have insecure LDAP bindings occurring: Susan BradleyEnable additional logging.Wait 24 hours and look for event 2889 every time a client performs Simple Authentication and Security Layer (SASL) bind without requesting signing or simple bind on cleartext. This will identify what applications or platforms you need to upgrade or fix to support insecure bindings.Once you determine that you have insecure bindings, fix this issue by reviewing if you can enable secure connections or secure bind on a checkbox inside the applications config. You can also go back to the vendor that you purchased the LDAP-reliant application from to see if they can provide a more secure way to access LDAP queries. If you need to enable secure binding, you can do so with internal SSL certificates as noted in this blog.As you go through your end-of-year inventory, review if you have insecure setups in your active directory infrastructure. Don’t be leaking credentials in your network.Don’t forget to sign up for TechTalk from IDG’s YouTube channel for tech news of the day. Start off 2020 right by reviewing what you missed in 2019. Related content news analysis DHS unveils one common platform for reporting cyber incidents Ahead of CISA cyber incident reporting regulations, DHS issued a report on harmonizing 52 cyber incident reporting requirements, presenting a model common reporting platform that could encompass them all. By Cynthia Brumfield Sep 25, 2023 10 mins Regulation Regulation Regulation news Chinese state actors behind espionage attacks on Southeast Asian government The distinct groups of activities formed three different clusters, each attributed to a specific APT group. By Shweta Sharma Sep 25, 2023 4 mins Advanced Persistent Threats Cyberattacks feature How to pick the best endpoint detection and response solution EDR software has emerged as one of the preeminent tools in the CISO’s arsenal. Here’s what to look for and what to avoid when choosing EDR software. By Linda Rosencrance Sep 25, 2023 10 mins Intrusion Detection Software Security Monitoring Software Data and Information Security feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Data and Information Security IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe