LDAP Binding March 2020

Hi all,

Many of you must have seen this:

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-update-now/ba-p/921536

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

I started to look what systems are causing us LDAP queries and of course I’m lazy so I wrote some PS.

[PRE]$cred = Get-Credential #DA creds
$DCs = Get-ADDomain | select -ExpandProperty replicadirectoryServers | select @{N=‘ComputerName’;E={$_.split(‘.’)[0]}} | select -ExpandProperty ComputerName

##Enable 2889 logs
$script1 = {
Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v “16 LDAP Interface Events” /t REG_DWORD /d 2 /f
Limit-Eventlog -Logname ‘Directory Service’ -MaximumSize 10MB -OverflowAction OverwriteAsNeeded
}

invoke-command -Credential $cred -computername $DCs -scriptblock $script1

#Fetch logs
$script2 = {

$filter = @"
<QueryList>
<Query Id=“0” Path=“Directory Service”>
<Select Path=“Directory Service”>*[System[Provider[@Name=‘Microsoft-Windows-ActiveDirectory_DomainService’] and (EventID=2889)]]</Select>
</Query>
</QueryList>
"@

$ipaddr = @{ label=“IP Address”; Expression={$.properties[0].value} }
$client = @{ label=“Client”; Expression={$.properties[1].value} }
Get-WinEvent -FilterXML $filter -MaxEvents 5 | select $ipaddr,$client
}

invoke-command -Credential $cred -computername $DCs -scriptblock $script2 | Group-Object client
[/PRE]

Edit:
The XML filter breaks. Get it from here: https://www.uvm.edu/~gcd/2010/11/event-data-mining-with-powershell/

https://docs.microsoft.com/en-us/archive/blogs/russellt/identifying-clear-text-ldap-binds-to-your-dcs

Has a good powershell script already written that dumps to CSV.