How to Easily Spot LDAP Clear Text Binds Before the Windows Update

NOTE: Microsoft says it is delaying the forced changes to LDAP behavior until the second half of 2020, and recommends that customers use this time to audit and fix affected applications now.

Sending LDAP passwords in clear text has never been a good idea because it makes it easy for attackers with the ability to sniff network traffic to steal credentials. But unfortunately, in large organizations, it is extremely tedious to identify and fix all the applications that still use this insecure method of LDAP binding. And if no one is complaining, it's easy to put off these types of basic cyber hygiene practices.

For better or worse, a Windows update due in the second half of 2020 is going to bring the issue to the forefront of IT agendas. The security update will change the default settings to reject LDAP requests that use Simple Authentication and Security Layer (SASL) binds, locking out users from applications that use that method.

What's going to break in your environment?

To answer that question, Microsoft recommends that sysadmins turn on in-depth diagnostic logging on their domain controllers to identify offending applications, as described in this Windows security blog post. It's a noisy process, likely to cause a flood of events into the Directory Service event log.

The blog post advises sysadmins to turn it on for short periods to identify and remediate the noisiest offenders first. In cases where you can fix applications, this is time-consuming. In other cases where the applications or devices are from a third party, getting the vendor to fix the application could be nerve-wracking. See this r/sysadmin thread for the handwringing!

Simple questions answered easily

For ExtraHop customers, there's a much easier way to identify offenders—even in the largest environments. SASL Authentication Mechanisms are among the 5,000+ pieces of L2-L7 metadata that ExtraHop extracts from network traffic in real time, enabling Security and IT Operations staff to simply audit their network for LDAP simple binds performed on clear text.

In the user interface, follow Assets → Activity → LDAP → Servers. Under Top SASL Authentication Mechanisms, click Simple and then Records. If you want to see if this is a serious problem (passwords used in clear text), you can download the PCAPs for inspection. Check out the video below to see a quick demo, showing how easy this is.

Note for customers decrypting LDAP traffic with ExtraHop: Simple auth is safe when paired with TLS, so if you're decrypting traffic, there's another step to take. LDAP Request records with a Server Port of 636 can typically be ignored, since this conventionally means TLS is in use. For a given LDAP Request record using Simple auth, add a filter on the Flow value, then remove any Record Type restriction. If an SSL Open record shows up, that indicates that LDAP is being decrypted and Simple auth is safe. Alternatively, if a Flow record shows up with an L7 Protocol of "LDAP" (instead of "LDAP-SSL"), this indicates plaintext LDAP auth is in use, and further remediation steps are necessary.

Providing easy-to-access visibility into your environment, even into encrypted LDAP traffic, is something every network detection and response (NDR) solution should do, in addition to detecting threats on the network.

ExtraHop Reveal(x) offers excellent visibility to help you identify and remove risk. In addition to LDAP passwords sent in the clear, Reveal(x) can help you find:

• Vulnerable protocols, such as SMB1, telnet, and unencrypted FTP
• RDP servers communicating to the Internet you didn't know about
• Unmanaged DNS servers
• Service accounts that you thought you had disabled
• Devices running older versions of Windows that aren't in your CMDB
• Weak cipher suites (or cases where traffic should be encrypted, but isn't)
• Soon-to-expire SSL/TLS certificates

Hear how an LDAP(/blog/how-a-higher-ed-institution-validates-security-incidents/)