Domain Member: LDAP client signing requirements

5c9b1fb7-3d92-4d13-be5f-13d7894e50d0

Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Where LDAP servers are concerned, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks extremely difficult.

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements
https://www.stigviewer.com/stig/windows_server_2016/2018-03-07/finding/V-73629

Remediation

Change Group Pokicy: Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: LDAP client signing requirements" to "Negotiate signing" at a minimum.
More information: https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server

Stig Server: 2016 - https://www.stigviewer.com/stig/windows_server_2016/2019-01-16/finding/V-73693
2019 - https://www.stigviewer.com/stig/windows_server_2019/2020-06-15/finding/V-93303
Stig Desktop: https://www.stigviewer.com/stig/windows_10/2016-06-24/finding/V-63803