How To Prevent Insecure ADSI/LDAP User Authentication
Question
How can I prevent insecure user authentication via ADSI or LDAP/S and other potential security vulnerabilities due to Unauthenticated Binds in Windows Active Directory (AD)?
Reasoning
By default, Windows Servers have a security vulnerability in Windows Active Directory where unauthenticated binds are enabled by default. Unauthenticated binds allow users to authenticate as an "anonymous user" by providing a valid username with a blank password, which could be exploited by malicious users. The LDAP protocol recognizes this as a legitimate, but insecure behavior. To mitigate this, Microsoft added the ability to disable unauthenticated binds starting with Windows Server 2019.
Answer
To enhance security in your AD environment, it is recommended to disable unauthenticated binds on your Windows AD server. This step ensures that anonymous authentication is not allowed, preventing potential security breaches and vulnerabilities caused by such configurations.
Pre-requisites
Steps
- Open ADSIEdit (Run, adsiedit.msc)
- Connect to the Configuration Partition
- In the ADSIEdit window, right-click on ADSI Edit and select Connect to...
- Choose Configuration under the "Select a well-known Naming Context" dropdown and click OK
- Navigate to the Directory Services Properties:
- Expand Configuration -> CN=Configuration -> CN=Services -> CN=Windows NT
- Right-click on CN=Directory Service and select Properties
- Modify the msDS-Other-Settings Attribute:
- In the properties window, locate the msDS-Other-Settings attribute
- Click Edit and add a new entry: “DenyUnauthenticatedBind=1”
- Click OK to save the changes
Note: The setting takes effect immediately and does NOT require a reboot of your server
- Attempt to log in using an FTPS, HTTPS, or SFTP client (OpenSSH, WebUI, WinSCP, etc.) and an AD or LDAP user account without a password; the login should fail, confirming that unauthenticated binds are disabled
Note:
You must ensure that all domain controllers or Lightweight Directory Services (LDS) servers are upgraded to Windows Server 2019 or later to utilize this feature. This change enhances security by preventing unauthenticated access to your AD environment.
Related Articles
How To: Create a server with AD authentication in Titan Nextgen
Related To Titan Nextgen Builds 1.x and above. Question How can I configure a server to utilize windows active directory as the authentication server in Titan Nextgen? Reasoning I would like to be able to integrate my current AD users so I can give ...How To: Add Users using ADSI User Auth
How To: Add Users using ADSI User Auth Question How can we add users to Titan NexGen using your Active Directory ( ADSI ) User Auth? Answer Follow the below step-by-step procedure. Steps to Backup Server Configuration Login to your Titan NexGen ...Ubuntu Server Fails to Connect to AD or LDAP server
Question I am seeing an LDAP error when users are authenticating against Titan SFTP server on Ubuntu, is there a way to fix this? Reasoning I have Titan SFTP server installed on my Ubuntu server and would like to utilize the LDAP connector ...How To: Create a server with Windows LDAP authentication in Titan Nextgen
Related To Titan Nextgen Builds 1.x and above. Question How can I configure a server to utilize LDAP as the authentication server in Titan Nextgen? Reasoning I would like to be able to integrate my current database of users so I can give them access ...Configuring LDAP for User Authentication
Lightweight Directory Access Protocol (LDAP) is generally used on non-Microsoft equipment (though it can work in conjunction with Active Directory) as a directory for sharing information. LDAP includes its own object classification system, which ...