question

CyrilMenigoz-2809 avatar image
0 Votes"
CyrilMenigoz-2809 asked LimitlessTechnology-2700 answered

LDAP/LDAPS authentication Audit through win events

Hello,

I looking for the best way to get information about the LDAP/LDAPS authentication from applications to my DC (2016)
I found :
- Events ID 2889 for LDAP requests
- Events ID 4624 that I only plan to keep only if the logon type is "network logon" (3)

What else can I get? How can I more information? How can I filter the 4624 events to only keep LDAP(S) request to my DC?

Thanks in advance






windows-server-2016
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello,

You may enable LDAP Signing for better security.

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-signing-in-windows-server

Also you can enable additional event login for LDAP.

Open Registry Editor. Go to HKEY_LOCAL_MACHINE → SYSTEM → CurrentControlSet → Services → NTDS → Diagnostics. Note: Set '15 Field Engineering' to '5'. This enables Expensive and Inefficient LDAP calls to be logged in Event Viewer.

View the logs

Unsecure LDAP binds
Go to Event Viewer → Filter Directory Service logs to locate the event ID 2889 (Windows Server 2003 to 2012)


Number of daily unsecure LDAP bind
Go to Event Viewer → Filter Directory Service logs to locate the event ID 2887 (Windows Server 2003 to 2012)


Number of LDAP queries
Go to Event Viewer → Filter Directory Service logs to locate the event ID 1643 (Windows Server 2003 to 2012)

Recent LDAP queries
Go to Event Viewer → Filter Directory Service logs to locate the event ID 1644 (Windows Server 2003 to 2012)


Error from LDAP server
Go to Event Viewer → Filter Directory Service logs to locate the event ID 1535 (Windows Server 2003 to 2012)

Time-out LDAP connection
Go to Event Viewer → Filter Directory Service logs to locate the event ID 1317 (Windows Server 2003 to 2012)


Hope this helps.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.