Let's Get Started!

Find your vulnerabilities in LDAP today with StealthINTERCEPT for free!

Microsoft Vulnerability in LDAP Authentication – Stealthbits' Free Solution Can Help

How do I get started?

Fill out the form to begin. You will be contacted within 48 hours to deliver and deploy our software to identify all the places the LDAP vulnerability appears.


Hopefully, you’re aware of a vulnerability in the default configuration in LDAP that may expose Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) to elevation of privilege/man-in-the-middle type attacks (Read the note from Microsoft).

In the Security Advisory ADV190023, Microsoft recommends manually changing the settings on all domain controllers and the systems that make LDAP calls/queries to require signed binds until they release a security update/patch anticipated to “be available in March 2020.” In other words, "the update will reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) or to reject LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection."

Finding All ‘Nonsecure’ LDAP Queries Can be Challenging

If you follow the Microsoft security advisory recommendation and change the setting on all domain controllers, all nonsecure LDAP calls will be rejected. That could have some potentially serious business and operational effects depending on how many systems make nonsecure LDAP calls. The same challenge exists if you choose to wait for Microsoft’s update sometime around March 2020.

If all ‘nonsecure’ LDAP queries were rejected tomorrow, what impact would it have on your business and operations? Do you know which systems would be affected?

Copyright © 2020 All Rights Reserved 

Stealthbits Can Help!

Engage with the Stealthbits team to gain access to StealthINTERCEPT, our real-time policy enforcement solution designed to monitor and block unwanted and unauthorized activities in Active Directory. StealthINTERCEPT's LDAP module provides complete visibility into all ‘nonsecure’ LDAP queries. allowing you to not only determine whether or not the query was executed securely and where it was coming from, but what the query was actually requesting from the directory.

Using StealthINTERCEPT’s LDAP blocking functionality, organizations can also simulate the effect of the update in broad or selective ways, without actually modifying Active Directory configurations.

Let us know if we can help! We're standing by.