Microsoft Windows lack of encrypted LDAP support leaves your credentials exposed
Whether we are signing in at work, logging in to an app, or entering our credit card to purchase items, online personal information can be exposed every time we interact online. Think back to the last time you bought something on Amazon. The app secured your online purchase because the site administrators secured their site by installing a valid digital certificate. A digital certificate is a component of an electronic locking system used in computing called Public Key Infrastructure (PKI). That’s what Amazon does today. Unfortunately, not all sites, including most work networks, are as secure as Amazon. When we connect desktops, laptops, tablets, and smartphones to our company networks to access documents, we assume that we are using the same PKI security facilities to connect right? Not so fast.
Microsoft first released Windows Desktop in 1985, and shortly after in 1993 released Windows Server. As company networks started to grow, there was a need to centrally manage usernames, passwords, and access permissions, so they created and released Active Directory (AD) for Windows 2000 Server. At this same time Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS), were being developed for data security within PKI to protect websites. Unable to take advantage of the SSL/TLS website data security model, AD was developed with an insecure protocol called Lightweight Directory Access Protocol (LDAP). This insecure protocol leaves Windows open to credential theft.
In contrast to making a secure encrypted purchase on Amazon, logging into your work domain using Windows can expose usernames, passwords, and all information exchanged with the AD server. LDAP is an insecure protocol, as identified in RFC 4513 back in 2006, so it requires additional security mechanisms to guard against threats and data exposure. The industry calls the secure version LDAPS, because it securely encrypts LDAP with SSL/TLS.
With the meteoric rise of cyber-attacks, data breaches, and ransomware, you would think by now all corporate network authentication would be using securely encrypted protocols like LDAPS, but you would be wrong. Today, Microsoft Windows clients continues to use insecure LDAP for authentication to AD servers, potentially exposing usernames, passwords, and session data, as well as being vulnerable to replay and Man-in-the-Middle (MITM) attacks. Over the years Microsoft has been patching Windows authentication methods to incrementally improve security, but as you can see from the table below none of them are completely safe.
Windows Authentication Methods | Username | Password | Session Data | Replay/MITM |
Simple Bind | Cleartext | Cleartext | Cleartext | Vulnerable |
SASL + NTLM | Cleartext | Insecure Hash | Cleartext | Vulnerable |
SASL + Kerberos | Cleartext | Secure Hash | Cleartext | Vulnerable |
Kerberos Integrity | Cleartext | Secure Hash | Cleartext | Safe |
Kerberos Privacy | Cleartext | Secure Hash | Safe | Safe |
Microsoft confirms in the article linked below that, "LDAP traffic is transmitted unsecured." Our field experience shows that every Windows desktop system exposes credential information.
In the article, Microsoft directs users to install a digital certificate on the AD server to improve the credential security of Windows desktops, but this is not the case. After following these instructions, we found no improvement in authentication security, the LDAP traffic was still insecure. After escalating to one of Microsoft’s biggest Manage Service Providers (MSPs), as well as opening a case with Microsoft support, we were informed that full LDAP session encryption (LDAPS) is “not possible from our end and it would be an unsupported ask for us.”
According to recent market research by T4, Windows is the leading vendor in the desktop operating system industry with a 78% market share totaling over 1.4 billion active devices worldwide. Without the ability to secure Windows authentication through LDAPS, the best we can do is update, patch, and configure our Windows machines to be as secure as possible.
If you are concerned about cyber-attacks, data breaches, and ransomware, the best place to start strengthening your security posture is eliminating weak user authentication methods. To find out if your business is using insecure authentication methods, email contact@dragonflycyber.com for a free cyber risk assessment score.
Comments