SCMdceba9b666c14ddc82c0454f16964d78

Monitor_SCMdceba9b666c14ddc82c0454f16964d78 (UnitMonitor)

This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests.

Knowledge Base article:

External

http://go.microsoft.com/fwlink/?LinkId=243138

Element properties:

Target

Microsoft.KnowledgeServices.SCM.Windows.Server.2008.R2.Security

Parent Monitor

System.Health.ConfigurationState

Category

Alert

Enabled

True

Alert Generate

True

Alert Severity

Error

Alert Priority

Normal

Alert Auto Resolve

True

Monitor Type

Microsoft.KnowledgeServices.Library.PowerShellMonitorEx

Remotable

True

Accessibility

Public

Alert Message

Network security: LDAP client signing requirements

<Details>
<Content>This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests, as follows: None. The LDAP BIND request is issued with the caller-specified options. Negotiate signing. If Transport Layer Security/Secure Sockets Layer (TLS/SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the caller-specified options. If TLS/SSL has been started, the LDAP BIND request is initiated with the caller-specified options. Require signature. This level is the same as Negotiate signing. However, if the LDAP server's intermediate saslBindInProgress response does not indicate that LDAP traffic signing is required, the caller is told that the LDAP BIND command request failed. Note: This policy setting does not have any impact on ldap_simple_bind or ldap_simple_bind_s. No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a domain controller. The possible values for the Network security: LDAP client signing requirements setting are: None Negotiate signing Require signature Not Defined

Consideration:
Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers.

Impact:
If you configure the server to require LDAP signatures you must also configure the client. If you do not configure the client it will not be able to communicate with the server, which could cause many features to fail, including user authentication, Group Policy, and logon scripts.

Recommendation:
Configure the Network Security: LDAP server signing requirements setting to Require signature.

Group Policy Path:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LDAP client signing requirements</Content>
<CollectedInformation>
<Info>
<Name>Recommended Value</Name>
<Value>Negotiate signing</Value>
</Info>
<Info>
<Name>Actual Value</Name>
<Value>{0}</Value>
</Info>
</CollectedInformation>
</Details>

RunAs

Default

Comment

SupportTopic=TBD;VersionNumber=1.0.0.1;

Source Code:

<UnitMonitor ID="Monitor_SCMdceba9b666c14ddc82c0454f16964d78" Comment="SupportTopic=TBD;VersionNumber=1.0.0.1;" Accessibility="Public" Enabled="true" Target="MicrosoftKnowledgeServicesSCMLibrary!Microsoft.KnowledgeServices.SCM.Windows.Server.2008.R2.Security" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="KnowledgeServicesLibrary!Microsoft.KnowledgeServices.Library.PowerShellMonitorEx" ConfirmDelivery="true">

  <Category>Alert</Category>

  <AlertSettings AlertMessage="MonitorMessagedceba9b666c14ddc82c0454f16964d78">

    <AlertOnState>Error</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>Error</AlertSeverity>

    <AlertParameters>

      <AlertParameter1>$Data/Context/Property[@Name='ActualValue']$</AlertParameter1>

    </AlertParameters>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="Success" MonitorTypeStateID="Success" HealthState="Success"/>

    <OperationalState ID="Error" MonitorTypeStateID="Error" HealthState="Error"/>

  </OperationalStates>

  <Configuration>

    <ScriptName>SCMdceba9b666c14ddc82c0454f16964d78.ps1</ScriptName>

    <Parameters>

      <Parameter>

        <Name>ActualValue</Name>

        <Value>$Target/Property[Type="MicrosoftKnowledgeServicesSCMLibrary!Microsoft.KnowledgeServices.SCM.Windows.Server.2008.R2.Security"]/NetworksecurityLDAPclientsigningrequirements$</Value>

      </Parameter>

    </Parameters>

    <ScriptBody><Script>





param($ActualValue)



$ErrorActionPreference = "Stop"



# Set up the arguments

$scriptargs = new-object psobject

$scriptargs | add-member NoteProperty "ActualValue" $ActualValue



# Set up the output

$global:scriptoutput = new-object psobject

$scriptoutput | add-member NoteProperty "ActualValue" ""

$unit = $null

$valueToFriendlyName = $null

$valueToFriendlyName += @{"" = "[Setting Not Present]"}

$valueToFriendlyName += @{"0" = "None"}

$valueToFriendlyName += @{"1" = "Negotiate signing"}

$valueToFriendlyName += @{"2" = "Require signature"}



function AdvisorRule($scriptargs, $scriptoutput)

{

	$ActualValue = $scriptargs.ActualValue



	if ($unit -ne $null)

	{

		$scriptoutput.ActualValue = $ActualValue + $unit

	}

	else

	{

		$scriptoutput.ActualValue = $valueToFriendlyName.$ActualValue

	}

}



AdvisorRule $scriptargs $scriptoutput



# set the output

$mom = new-object -comobject "MOM.ScriptAPI"

$bag = $mom.CreatePropertyBag()



if ($scriptoutput.ActualValue -ne $null)

{

	$bag.AddValue("ActualValue", $scriptoutput.ActualValue)

}



$bag



</Script></ScriptBody>

    <SnapIns/>

    <TimeoutSeconds>300</TimeoutSeconds>

    <Schedule>14403</Schedule>

    <ErrorExpression>

      <SimpleExpression>

        <ValueExpression>

          <Value Type="Integer">$Target/Property[Type="MicrosoftKnowledgeServicesSCMLibrary!Microsoft.KnowledgeServices.SCM.Windows.Server.2008.R2.Security"]/NetworksecurityLDAPclientsigningrequirements$</Value>

        </ValueExpression>

        <Operator>NotEqual</Operator>

        <ValueExpression>

          <Value Type="Integer">1</Value>

        </ValueExpression>

      </SimpleExpression>

    </ErrorExpression>

    <SuccessExpression>

      <Not>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <Value Type="Integer">$Target/Property[Type="MicrosoftKnowledgeServicesSCMLibrary!Microsoft.KnowledgeServices.SCM.Windows.Server.2008.R2.Security"]/NetworksecurityLDAPclientsigningrequirements$</Value>

            </ValueExpression>

            <Operator>NotEqual</Operator>

            <ValueExpression>

              <Value Type="Integer">1</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </Not>

    </SuccessExpression>

  </Configuration>

</UnitMonitor>