LDAP Relay Attacks: Signing & Binding Guide
Why This Common Misconfiguration Could Cost You Your Domain
We discovered that the majority of our first time customers failed to enforce LDAP signing and channel binding. This single misconfiguration allows attackers to compromise entire Active Directory domains in minutes, yet it remains one of the most overlooked security controls.
If LDAP signing and channel binding aren't enforced on your domain controllers right now, an attacker with network access could potentially relay authentication requests, modify Active Directory, and achieve domain admin privileges.
The fix takes 30 minutes. The breach could cost millions.
TL;DR - What You Need to Know
The Security Flaw
Unsigned LDAP communications allow attackers to intercept and relay authentication
The Impact
Complete domain compromise, lateral movement, persistent access
The Fix
Enable LDAP signing (value: 2) and channel binding (value: 2) via Group Policy
The Timeline
Attackers exploit in under 5 minutes; remediation takes under 30 minutes
Understanding the Protection
LDAP Signing - Protecting Port 389
LDAP signing adds cryptographic signatures to LDAP packets, ensuring:
- ✓ Authentication integrity - Verifies client and server identities
- ✓ Data integrity - Prevents packet modification in transit
- ✓ Tamper protection - Invalidates altered packets
Result: Domain controllers reject any LDAP communication without a valid signature.
LDAP Channel Binding - Protecting Port 636
Channel binding secures LDAPS traffic by:
- ✓ Binding authentication to TLS - Links encrypted connection to authentication
- ✓ Preventing relay attacks - Captured credentials can't be used on different connections
- ✓ Validating certificates - Ties authentication to specific server certificate
Result: Even if credentials are captured, they cannot be relayed over different TLS connections.
LDAP Signing protects port 389 (standard LDAP)
Channel Binding protects port 636 (LDAPS)
Implementing only one leaves you vulnerable. Both must be enabled.
The Attack Chain: 5 Minutes to Domain Admin
1Network Access
Attacker gains internal network access via:
- Compromised workstation
- Rogue device on network
- VPN with stolen credentials
- Physical network access
2Capture Authentication
Active Coercion:
- PetitPotam - MS-EFSRPC protocol exploitation
- PrinterBug - MS-RPRN print spooler abuse
Passive Poisoning:
- LLMNR/NBT-NS - Name resolution poisoning
- DHCPv6 (mitm6) - IPv6 DNS server takeover
- WPAD - Proxy auto-discovery abuse
- mDNS - Multicast DNS spoofing
3Relay to Domain Controller
Attacker uses tools like ntlmrelayx to relay captured authentication to DC's LDAPS service (port 636)
Why it works: No LDAP signing + No channel binding = DC accepts relayed authentication
4Manipulate Active Directory
Now authenticated to the domain controller, the attacker can perform various malicious operations:
- Create Shadow Credentials - Add alternate authentication methods to accounts
- Modify ACLs - Grant themselves permissions to sensitive objects
- RBCD Attack - Configure resource-based constrained delegation for impersonation
- Add Computer Accounts - Create rogue domain-joined systems
- Dump Domain Info - Extract user lists, group memberships, and policies
- Grant Replication Rights - Enable DCSync attacks to dump all password hashes
Result: Multiple paths to privilege escalation and persistence
5Full Domain Compromise
- Dump credentials from memory
- Move laterally across systems
- Create persistent access
- Escalate to domain administrator
Total Attack Time: 5-15 Minutes
Real-World Impact
Operational Impact
- Complete domain compromise
- Unauthorized system access
- Sensitive data exposure
- Critical operation disruption
Financial Impact
- Incident response: $500K - $5M+
- Forensic investigations
- System rebuilding
- Lost productivity
Compliance Impact
- HIPAA violations
- PCI DSS failures
- GDPR breaches
- SOC 2 audit failures
Reputational Damage
- Customer trust erosion
- Partner relationship strain
- Competitive disadvantage
- Brand reputation harm
The Fix: Step-by-Step Implementation
- ☐ Test in non-production environment
- ☐ Identify all LDAP clients
- ☐ Check for legacy systems (10+ years old)
- ☐ Plan rollback strategy
- ☐ Schedule maintenance window
Method 1: Group Policy (Recommended)BEST
Step 1: Open Group Policy Management
gpmc.msc → Navigate to Domain Controllers OUStep 2: Create New GPO
Right-click Domain Controllers OU
→ "Create a GPO in this domain, and Link it here"
→ Name: "Domain Controller - LDAP Hardening"
→ Right-click → EditStep 3: Navigate to LDAP Settings
Computer Configuration
→ Policies
→ Windows Settings
→ Security Settings
→ Local Policies
→ Security OptionsStep 4: Enable LDAP Server Signing
Policy: "Domain controller: LDAP server signing requirements"
Setting: "Require signing"
→ Apply → OKStep 5: Enable Channel Binding
Policy: "Domain controller: LDAP server channel binding token requirements"
Setting: "Always"
→ Apply → OKStep 6: Apply Configuration
# On each domain controller
gpupdate /force
# Verify policy application
gpresult /h C:\GPResult.htmlMethod 2: Registry ConfigurationADVANCED
Registry Path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters| Value Name | Type | Data | Meaning |
|---|---|---|---|
LDAPServerIntegrity |
DWORD | 2 | SECURE Require signing |
LdapEnforceChannelBinding |
DWORD | 2 | SECURE Always enforce |
# Restart NTDS service
Restart-Service NTDS -Force
# OR restart entire DC
Restart-Computer -ForceNote: NTDS restart temporarily interrupts authentication. Ensure multiple DCs or schedule during maintenance window.
Verification: Confirm It's Working
Important: After applying Group Policy changes, wait at least 15 minutes before testing to ensure:
- GPO changes have replicated across all domain controllers
- Policy refresh cycles have completed (DCs refresh every 5 minutes by default)
- Settings have been fully applied and are active
Even after running gpupdate /force, allow time for replication in multi-DC environments before verification.
Method 1: NetExec
netexec ldap <DC_IP> -u user -p pass -M ldap-checkerExpected:
LDAP Signing: REQUIRED
LDAPS Channel Binding: ALWAYSMethod 2: PowerShell
Get-ItemProperty -Path "HKLM:\...\NTDS\Parameters" |
Select LDAPServerIntegrity, LdapEnforceChannelBindingExpected:
LDAPServerIntegrity : 2
LdapEnforceChannelBinding : 2Monitoring & Compliance
Key Event IDs to Monitor
| Event ID | Location | Description | Action |
|---|---|---|---|
| 2889 | Directory Services | Unsigned LDAP bind attempt | Investigate |
| 3039 | Directory Services | LDAPS without channel binding | Update client |
| 2886 | Directory Services | 24hr unsigned bind summary | Review systems |
| 2887 | Directory Services | LDAP signing requirement changed | Audit change |
| 3040 | Directory Services | Channel binding requirement changed | Audit change |
Automated Monitoring Script
Use this PowerShell script to check for unsigned LDAP bind attempts in the last 24 hours. Run this regularly (daily or weekly) to identify systems that need updating before they cause authentication failures.
# Check for unsigned attempts in last 24 hours
Get-WinEvent -FilterHashtable @{
LogName='Directory Service'
ID=2889
StartTime=(Get-Date).AddDays(-1)
} | Select-Object TimeCreated, Message
# Optional: Export to CSV for analysis
Get-WinEvent -FilterHashtable @{
LogName='Directory Service'
ID=2889
StartTime=(Get-Date).AddDays(-1)
} | Select-Object TimeCreated, @{Name='ClientIP';Expression={
if($_.Message -match 'Client:\s+(.+)') {$matches[1]}
}} | Export-Csv -Path "C:\LDAP_Unsigned_Binds.csv" -NoTypeInformationPro tip: Schedule this as a daily task and alert your security team when events are detected. This helps you proactively identify legacy systems before enforcement.
Ready to Secure Your Domain?
Don't wait for a breach to discover this security flaw
Frequently Asked Questions
Will this break anything?
In modern environments, no. All supported Windows operating systems and most enterprise applications support LDAP signing. However:
- Test in non-production first
- Very old applications (10+ years) may have issues
- Plan a maintenance window for initial deployment
Do I need both LDAP signing AND channel binding?
Yes, absolutely. They protect different attack vectors:
- LDAP Signing protects port 389 (standard LDAP)
- Channel Binding protects port 636 (LDAPS)
Attackers will exploit whichever protection is missing.
How do I know if I'm vulnerable?
Check with:
- NetExec LDAP checker module
- Registry value verification on each DC
- Professional penetration testing
- Event ID 2886 in Directory Services logs
Additional Resources
Microsoft Documentation
Security Guidance
Need Help?
Contact Strafe Cyber:
Email: contact@strafecybersecurity.com
Key Takeaways
Why Act Now
- ✓ Threat is real and actively exploited
- ✓ Attack is fast (under 5 minutes)
- ✓ Fix is simple (under 30 minutes)
- ✓ Protection is comprehensive
- ✓ Compatibility is high
Don't Wait For
- ✗ A security audit to flag it
- ✗ An actual attacker to exploit it
- ✗ A compliance failure
- ✗ A data breach
The question isn't whether you should enable LDAP signing and channel binding.
The question is: Why haven't you done it already?
Need Expert Help Securing Your Active Directory?
Strafe's security experts provide comprehensive AD security assessments, penetration testing, and remediation support tailored to your environment.
Security Assessment
Comprehensive AD security review and vulnerability identification
Penetration Testing
Real-world attack simulation and LDAP relay testing
Remediation Support
Step-by-step implementation and ongoing monitoring