WinSecWiki > Security Settings > Local Policies > Security Options > Network Security > LDAP client signing requirements

Network security: LDAP client signing requirements

This policy, as the name indicates, only impacts Windows computers acting as the LDAP client. See the other policy for domain controllers. By default LDAP traffic is unsigned an unencrypted making it vulnerable to man-in-the-middle attacks and eavesdropping. 

This setting controls whether the client requires the domain controller sign data sent to the client which allows the client to make sure the data was not modified in transit. This is important because the client makes security decisions based on LDAP query results. For instance, member servers rely on LDAP queries to find out group membership or to determine which group policy objects should be applied. 

If you configure this policy as None, the client will not require data signatures. Negotiate means the client will ask the domain controller for signing unless a TLS/SSL has already be specified. “Require signature” means the client will only bind with domain controllers that negotiate LDAP data-signing OR are using TLS/SSL. If the client established the LDAP connect with SSL, data-signing is redundant. (Domain controllers support LDAP over SSL; see ??? for more details).

See “Domain Controller: LDAP server signing requirements” for more information. 

Bottom line

Leave this setting configured at the default of Negotiate.

Back to top

 

Upcoming Webinars Unpacking a Linux Supply Chain Compromise Using the Recently Published XZ Utils Backdoor as the Example Assessing the Security of Your Active Directory: User Accounts Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources