Securing LDAP over SSL Safely [Windows Server 2019]

Опубликовано: 22 Январь 2021
на канале: OsbornePro TV

38,396

448

Securing LDAP over SSL Safely [Windows Server 2019]

NOTE: You do not need to install the Active Directory Lightweight Services role for LDAP over SSL to be used. Feel free to skip that part of the video. If you have installed the role already it is safe to remove it.

I (tobor), cover the configuration, templates, group policy, and reasons for configuring LDAP over SSL in your domain environment. I also cover the process to go through in order to set up LDAP over SSL without breaking connection with clients or the server. If you like what you see please Subscribe!

SCRIPT TO AUTO-RENEW AND UPDATE LDAPS CERT
https://github.com/tobor88/PowerShell...

ENABLE LDAP LOGIN COMMAND
ON POWERSHELL
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics" -Name "16 LDAP Interface Events" -Value 2
OR IN CMD
Reg Add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2

After some time goes by (So you can ensure the policy is applied to all devices on the domain that may not be currently on such as laptops)
Make sure you do not see any reports of unsigned connections in your Domain Controllers Event Log.
Event ID 2085 LDAP over SSL Connection could not be established with client
Event ID 2889 logged each time that a client computer attempts an unsigned LDAP bind

0:00 Intro Summary
0:17 Why confgure LDAP over SSL
0:37 Do NOT block LDAP communication
1:39 THIS PART NOT REQUIRED - Installing AD LDS Service on the server
2:24 THIS PART NOT REQUIRED - Begin Setup Wizard for AD LDS
4:16 THIS PART NOT REQUIRED - Define a service/user account to run AD LDS as
6:25 Finished installed
6:34 Create a Certificate Template to use for LDAPS
6:57 Duplicate Kerberos Authentication Template and set configuration
9:30 New Certificate Template to issue
9:53 Enroll and Assign Assigned LDAPS Certificate to the AD LDS Service
10:29 Force DC Replication to access new certificate template quickly
11:12 Export newly assigned certificate with the private key
12:50 Import Certificate in NTDS and ADAM_LDAPS services store
15:23 Restart the AD LDS Service
16:05 Current / Default Group Policy Settings
16:58 Configuring Clients to Negotiate LDAP signing
17:51 Open GPO Management Center and Create Policy
18:25 Configure Client GPO for Negotiate Signing
19:38 Test Client Communication with Domain Controller
20:10 Domain Controller Event Log Section Start
20:38 Enable LDAP logging on the domain controller
21:16 Watch Domain Controller Event log to discover LDAP usage
22:15 Event ID 2889
23:24 Common LDAP over SSL connection issue with external apps
24:07 After correcting errors change GPO setting on CLIENTS ONLY to Required signing
25:27 Verify new setting applied
25:57 DC Value is still set to "None" in Default DC Policy
26:48 Test Client Communication with DC again
27:09 Keep an eye on the DC event logs again
27:48 Configure the Default Domain Controller policy to "Required signing"
28:16 Testing LDAPS connections on Domain Controller with LDP.exe
29:36 Showing you the client LDAP Signing Requirements config setting
30:00 DO NOT DISABLE LDAP
30:14 Verify Domain Controllers new GPO settings applied
30:38 Do a client to server test with DC and Desktop on Require Signing
30:56 LDP.exe to verify DC is requiring LDAP over SSL
32:06 SSL Certificate Selection by the Domain Controller
33:07 Thanks for watching

INFORMATIONAL LINKS
https://support.microsoft.com/en-us/h...
https://docs.microsoft.com/en-us/trou...
https://support.microsoft.com/en-us/h...
https://docs.microsoft.com/en-us/wind...
https://social.technet.microsoft.com/...

View my Verified Certifications!
https://www.credly.com/users/robertho...

Follow us on GitHub!
https://github.com/tobor88
https://github.com/OsbornePro

Official Site
https://osbornepro.com/

Give Respect on HackTheBox!
https://www.hackthebox.eu/profile/52286

Like us on Facebook!
/ osborneprollc

View PS Gallery Modules!
https://www.powershellgallery.com/pro...

The B.T.P.S. Security Package
https://btpssecpack.osbornepro.com/

Смотрите видео Securing LDAP over SSL Safely [Windows Server 2019] онлайн, длительностью часов минут секунд в хорошем качестве, которое загружено на канал OsbornePro TV 22 Январь 2021. Делитесь ссылкой на видео в социальных сетях, чтобы ваши подписчики и друзья так же посмотрели это видео. Данный видеоклип посмотрели 38,396 раз и оно понравилось 448 посетителям.