How can I prevent insecure user authentication via ADSI or LDAP/S and other potential security vulnerabilities due to Unauthenticated Binds in Windows Active Directory (AD)?
By default, Windows Servers have a security vulnerability in Windows Active Directory where unauthenticated binds are enabled by default. Unauthenticated binds allow users to authenticate as an "anonymous user" by providing a valid username with a blank password, which could be exploited by malicious users. The LDAP protocol recognizes this as a legitimate, but insecure behavior. To mitigate this, Microsoft added the ability to disable unauthenticated binds starting with Windows Server 2019.
To enhance security in your AD environment, it is recommended to disable unauthenticated binds on your Windows AD server. This step ensures that anonymous authentication is not allowed, preventing potential security breaches and vulnerabilities caused by such configurations.
Note: The setting takes effect immediately and does NOT require a reboot of your server
Note:
You must ensure that all domain controllers or Lightweight Directory Services (LDS) servers are upgraded to Windows Server 2019 or later to utilize this feature. This change enhances security by preventing unauthenticated access to your AD environment.