5c9b1fb7-3d92-4d13-be5f-13d7894e50d0
Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Where LDAP servers are concerned, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks extremely difficult.
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements
https://www.stigviewer.com/stig/windows_server_2016/2018-03-07/finding/V-73629
To fix this configure the policy value for:
Computer Configuration
|_ Windows Settings
|_ Security Settings
|_ Local Policies
|_ Security Options
|_ "Network security: LDAP client signing requirements" to "Negotiate signing" at a minimum.
More information: https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server
STIG
Server
2022: https://stigviewer.com/stigs/microsoft_windows_server_2022/2025-01-14/finding/V-254476
2019: https://stigviewer.com/stigs/microsoft_windows_server_2019/2025-01-15/finding/V-205920
Desktop [The system must be configured to the required LDAP client signing level]
W11: https://stigviewer.com/stigs/microsoft_windows_11/2024-09-12/finding/V-253463
W10: https://stigviewer.com/stigs/microsoft_windows_10/2024-11-25/finding/V-220939
Manage your cookie preferences below:
To learn more about our use of cookies, please see our
Privacy Policy.