域控制器: LDAP 服务器签名要求Domain controller: LDAP server signing requirements

04/19/2017

本文内容

适用于Applies to

Windows 10Windows 10

本文介绍域控制器的最佳实践、位置、值和安全注意事项 ：LDAP 服务器签名要求 安全策略设置。This article describes the best practices, location, values, and security considerations for the Domain controller: LDAP server signing requirements security policy setting.

参考Reference

此策略设置确定 LDAP 服务器的轻型目录访问 (协议) LDAP 客户端是否要求 LDAP 客户端协商数据签名。This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing.

未签名的网络流量易受中间人攻击，其中，一位管理员捕获服务器和客户端设备之间的数据包，并修改数据包，然后再将它们转发到客户端设备。Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. 对于 LDAP 服务器，恶意用户可能导致客户端设备根据 LDAP 目录中的虚假记录做出决策。In the case of an LDAP server, a malicious user can cause a client device to make decisions based on false records from the LDAP directory. 通过实施强大的物理安全措施来保护网络基础结构，可以在企业网络中降低此风险。You can lower this risk in a corporate network by implementing strong physical security measures to protect the network infrastructure. 此外，实现 Internet 协议安全性 (IPsec) 身份验证标头模式(为 IP 流量提供相互身份验证和数据包完整性)会使所有类型的中间人攻击都很困难。Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks difficult.

此设置对通过 SSL 和 LDAP TCP/636 (LDAP 简单绑定没有任何) 。This setting does not have any impact on LDAP simple bind through SSL (LDAP TCP/636).

如果需要签名，则 LDAP TCP/389 (将拒绝使用 SSL 的 LDAP 简单) 。If signing is required, then LDAP simple binds not using SSL are rejected (LDAP TCP/389).

警告： 如果将服务器设置为"需要签名"，则还必须设置客户端设备。Caution: If you set the server to Require signature, you must also set the client device. 不设置客户端设备会导致与服务器的连接丢失。Not setting the client device results in loss of connection with the server.

可能值Possible values

无。None. 数据签名不需要与服务器绑定。Data signatures are not required to bind with the server. 如果客户端计算机请求数据签名，则服务器支持它。If the client computer requests data signing, the server supports it.

需要签名。Require signature. 必须协商 LDAP 数据签名选项，除非传输层安全性/安全套接字层 (TLS/SSL) 使用。The LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Sockets Layer (TLS/SSL) is in use.

未定义。Not defined.

最佳实践Best practices

建议您将域控制器 ：LDAP 服务器签名要求设置为****"需要签名"。We recommend that you set Domain controller: LDAP server signing requirements to Require signature. 不支持 LDAP 签名的客户端将无法对域控制器执行 LDAP 查询。Clients that do not support LDAP signing will be unable to execute LDAP queries against the domain controllers.

位置Location

计算机配置\Windows 设置\安全设置\本地策略\安全选项Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

默认值Default values

下表列出了此策略的实际有效默认值。The following table lists the actual and effective default values for this policy. 默认值也列在策略的属性页上。Default values are also listed on the policy’s property page.

服务器类型或 GPOServer type or GPO

默认值Default value

默认域策略Default Domain Policy

未定义Not defined

默认域控制器策略Default Domain Controller Policy

未定义Not defined

Stand-Alone服务器默认设置Stand-Alone Server Default Settings

未定义Not defined

DC 有效默认设置DC Effective Default Settings

无None

成员服务器有效默认设置Member Server Effective Default Settings

无None

客户端计算机有效默认设置Client Computer Effective Default Settings

无None

策略管理Policy management

本节介绍可帮助您管理此策略的功能和工具。This section describes features and tools that are available to help you manage this policy.

重启要求Restart requirement

无。None. 当设备在本地保存或通过组策略分发时，对此策略的更改将在不重新启动设备的情况下生效。Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.

安全注意事项Security considerations

本部分介绍攻击者如何利用一项功能或其配置，如何实施对策，以及对策实施可能产生的负面后果。This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

漏洞Vulnerability

未签名的网络流量易受中间人攻击。Unsigned network traffic is susceptible to man-in-the-middle attacks. 在此类攻击中，一位管理员捕获服务器和客户端设备之间的数据包，修改数据包，然后将数据包转发到客户端设备。In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. 对于 LDAP 服务器，攻击者可能导致客户端设备做出基于 LDAP 目录中的虚假记录的决策。Where LDAP servers are concerned, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. 若要降低组织网络中此类入侵的风险，您可以实施强大的物理安全措施来保护网络基础结构。To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. 您还可以在 IPsec) (身份验证标头模式下实现 Internet 协议安全性，该模式对 IP 流量执行相互身份验证和数据包完整性，使所有类型的中间人攻击都很困难。You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks difficult.

对策Countermeasure

将域控制器：LDAP 服务器签名要求设置为 "需要签名"。Configure the Domain controller: LDAP server signing requirements setting to Require signature.

潜在影响Potential impact

不支持 LDAP 签名的客户端设备无法对域控制器运行 LDAP 查询。Client devices that do not support LDAP signing cannot run LDAP queries against the domain controllers.

相关主题Related topics