Skip to content
More support
  • There are no suggestions because the search field is empty.

How To Prevent Insecure ADSI/LDAP User Authentication

Question

How can I prevent insecure user authentication via ADSI or LDAP/S and other potential security vulnerabilities due to Unauthenticated Binds in Windows Active Directory (AD)?

Reasoning

By default, Windows Servers have a security vulnerability in Windows Active Directory where unauthenticated binds are enabled by default. Unauthenticated binds allow users to authenticate as an "anonymous user" by providing a valid username with a blank password, which could be exploited by malicious users. The LDAP protocol recognizes this as a legitimate, but insecure behavior. To mitigate this, Microsoft added the ability to disable unauthenticated binds starting with Windows Server 2019.

Answer

To enhance security in your AD environment, it is recommended to disable unauthenticated binds on your Windows AD server. This step ensures that anonymous authentication is not allowed, preventing potential security breaches and vulnerabilities caused by such configurations.

Pre-requisites

Access to a domain-joined server with Windows Server 2019 or later
ADSIEdit.msc tool installed (part of Windows Server)
Administrative privileges on the Windows Active Directory server

 

Steps

  1. Open ADSIEdit (Run, adsiedit.msc)
 

A screenshot of a computerDescription automatically generated

 
  1. Connect to the Configuration Partition
  1. In the ADSIEdit window, right-click on ADSI Edit and select Connect to...

A screenshot of a computerDescription automatically generated

 
  1. Choose Configuration under the "Select a well-known Naming Context" dropdown and click OK
 

A screenshot of a computerDescription automatically generated

 
  1. Navigate to the Directory Services Properties:
  1. Expand Configuration -> CN=Configuration -> CN=Services -> CN=Windows NT
  2. Right-click on CN=Directory Service and select Properties
 
 

A screenshot of a computerDescription automatically generated

 
  1. Modify the msDS-Other-Settings Attribute:
  1. In the properties window, locate the msDS-Other-Settings attribute
  2. Click Edit and add a new entry: “DenyUnauthenticatedBind=1”
  3. Click OK to save the changes
 

A screenshot of a computerDescription automatically generated

 

A screenshot of a computer programDescription automatically generated

 

Note: The setting takes effect immediately and does NOT require a reboot of your server

 
  1. Attempt to log in using an FTPS, HTTPS, or SFTP client (OpenSSH, WebUI, WinSCP, etc.) and an AD or LDAP user account without a password; the login should fail, confirming that unauthenticated binds are disabled
 

Note:
You must ensure that all domain controllers or Lightweight Directory Services (LDS) servers are upgraded to Windows Server 2019 or later to utilize this feature. This change enhances security by preventing unauthenticated access to your AD environment.

Need More Help? We’ve Got You Covered.

If you didn’t find what you were looking for, our support team is here to help. Submit a ticket and one of our experts will follow up shortly.

Submit a Support Ticket