By default, Windows Servers have a security vulnerability in Windows Active Directory where unauthenticated binds are enabled by default. Unauthenticated binds allow users to authenticate as an "anonymous user" by providing a valid username with a blank password, which could be exploited by malicious users. The LDAP protocol recognizes this as a legitimate, but insecure behavior. To mitigate this, Microsoft added the ability to disable unauthenticated binds starting with Windows Server 2019.
How to prevent insecure user authentication via ADSI or LDAP/S and other potential security vulnerabilities due to Unauthenticated Binds in Windows Active Directory (AD).
Steps
- On your AD Server Open ADSIEdit (Run, adsiedit.msc)
- Connect to the Configuration Partition
- In the ADSIEdit window, right-click on ADSI Edit and select Connect to...
- Choose Configuration under the "Select a well-known Naming Context" dropdown and click OK
- Navigate to the Directory Services Properties:
- Expand Configuration -> CN=Configuration -> CN=Services -> CN=Windows NT
- Right-click on CN=Directory Service and select Properties
- Modify the msDS-Other-Settings Attribute:
- In the properties window, locate the msDS-Other-Settings attribute
- Click Edit and add a new entry: “DenyUnauthenticatedBind=1”
- Click OK to save the changes
Note: The setting takes effect immediately and does NOT require a reboot of your server
Note:
You must ensure that all domain controllers or Lightweight Directory Services (LDS) servers are upgraded to Windows Server 2019 or later to utilize this feature. This change enhances security by preventing unauthenticated access to your AD environment.