How To Find Ldap Server In Windows Domain
The estimated reading time 9 minutes
Some time ago Microsoft announced the irresolute of default domain controller beliefs for ldap and ldap signing. Encounter LINK.
This affects every supported version of Windows Server (from 2008R2 till 2019). There is another LINK ADV190023 with detailed caption.
I think there should be no word to alter your domaincontroller to ldap signing only. Only what about 3rd party software? How tin can you find these software accessing your DCs and using unsigned ldap?
If you don't take any certificate for ldap on your domaincontroller, have a look on the requirements, it's important. How to enable LDAP over SSL.
I recommend to activate LDAP loggin on every domain controller in your environment, and extend the Eventlog "Directory Service" so you lot can go back in the past to run into most of the ldap connections.
How does it await like when an ldap connection is logged as unsigned:
As you can see IP Adress and User who does the ldap demark is logged.
First you lot have to enable LDAP loggin on your DCs.
I'll use a gpo set up the registry keys on all DCs in my test surroundings, but you can also set the central manually:
REGKEY LDAP loggin (should already exist there but set to 0): HKEY_LOCAL_MACHINE\Organisation\CurrentControlSet\Services\NTDS\Diagnostics -> DWORD -> "16 LDAP Interface Events" -> Value "2"
REGKEY extend eventlog: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Directory Service -> DWORD -> "MaxSize" -> Value= "2147483648" (2GB)
Y'all can also use the reg add commands:
Reg Add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2 Reg Add "HKEY_LOCAL_MACHINE\Arrangement\CurrentControlSet\Services\EventLog\Directory Service" /5 "MaxSize" /t REG_DWORD /d "2147483648"
After adding this regkeys there demand to be some time so that DCs can log connections and hopefully see all unsigned ldap connections. (best case is to run across no ldap connections)
If you lot want to try ldap and ldaps connection you lot tin can become on your dc or whatsoever other windows server and use the LDP.exe to check. Information technology is located in C:\Windows\SYSTEM32\ folder.
If you lot do likewise a uncomplicated bind the connection is logged in your eventlog
Please check also if y'all can connect your ldap with SSL Port 636
After finishing you tin can be sure your DCs accept LDAPS and are logging LDAP connections. Now you accept to await some days so that you come across most of the LDAP connections (y'all may run across not all considering if the device does no ldap query there is nothing to protocol).
Now it'south scripting time, because information technology tin can be actually painful to search eventlogs and find all events with the IP addresses inside the event message.
See the post-obit script:
<# #### requires ps-version three.0 #### <# .SYNOPSIS Analyses Eventlog from DomainControllers and searches for LDAP access .Description Creates a working directory on your specified path. Later on cosmos information technology copies evtx files from all Domaincontrollers via robocopy into this working directory. Every domaincontroller eventlog creates four files (cleared and raw) .PARAMETER WorkDir Path where y'all want to have your logs and results (please bank check diskspace, evtx file may have some GBs) .INPUTS - .OUTPUTS YYYY-MM-DD-HH-MM-SS-NameofDC.evtx (copied but untouched) YYYY-MM-DD-HH-MM-SS-NameofDC-LDAP-cleared.csv YYYY-MM-DD-HH-MM-SS-NameofDC-LDAP-raw.csv YYYY-MM-DD-HH-MM-SS-NameofDC-LDAP-fourth dimension.csv YYYY-MM-DD-HH-MM-SS-NameofDC-LDAP-fourth dimension-cleared.csv .NOTES Version: 0.i Author: Alexander Koehler Creation Date: Tuesday, March 10th 2020, 11:07:01 pm File: advertisement-ldap-inspect-0-i.ps1 Copyright (c) 2020 web log.it-koehler.com HISTORY: Date By Comments ---------- --- ---------------------------------------------------------- .LINK blog.it-koehler.com/en/Archive/2951 .COMPONENT Required Modules: none .LICENSE Permission is hereby granted, gratuitous of accuse, to whatever person obtaining a copy of this software and associated documentation files (the Software), to deal in the Software without brake, including without limitation the rights to use copy, modify, merge, publish, distribute sublicense and /or sell copies of the Software, and to permit persons to whom the Software is furnished to exercise and so, subject to the following weather: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED Equally IS, WITHOUT WARRANTY OF Any KIND, Limited OR IMPLIED, INCLUDING BUT Not LIMITED TO THE WARRANTIES OF MERCHANTABILITY, Fitness FOR A Item PURPOSE AND NONINFRINGEMENT. IN NO Upshot SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR Whatever Claim, Amercement OR OTHER LIABILITY, WHETHER IN AN Action OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN Connectedness WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. .EXAMPLE C:\temp\ad-ldap-audit-0-1.ps1 -WorkDir "C:\temp\ldapaudit" # #> # define parameters (Working Directory) and check if information technology'southward a directory and if information technology does not exist, create it. [CmdletBinding()] Param( [Parameter(Mandatory = $True)] [String] $WorkDir) if (-not (Examination-Path $WorkDir -PathType Container)) { endeavor { New-Item -Path $WorkDir -ItemType Directory -ErrorAction Finish | Out-Nothing } catch { Write-Error -Message "Unable to create directory '$WorkDir'. Error was: $_" -ErrorAction Stop } "Successfully created directory '$WorkDir'." } else { "Directory already existes" } #get date as string (is needed for filenames) $date=((Get-Date).ToString('yyyy-MM-dd-HH-mm-ss')) #getting all DCs in environment without Advertizing PowerSehll Module $DCs = ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites | % { $_.Servers } | select Proper name).Proper noun #executing code for every domaincontroller foreach($DC in $DCs){ #copy evtx file in working dir with robocopy $path = "\\$DC\c$\Windows\System32\winevt\Logs\" robocopy "$path" "$workdir" "Directory Service.evtx" Rename-Item "$workdir\Directory Service.evtx" "$date-$DC.evtx" $evtxfile = "$workdir\$date-$DC.evtx" #define output file prefix $csvoutputpath = "$workdir\$date-$DC-LDAP" #searching for upshot 2889 $Events = Go-WinEvent @{Path=$evtxfile;Id=2889} #define array for outputs $eventarraytime = @() $eventarrayraw =@() ForEach ($Event in $Events) { # Convert the effect to XML #see https://docs.microsoft.com/de-de/archive/blogs/ashleymcglone/powershell-get-winevent-xml-madness-getting-details-from-issue-logs $eventXML = [xml]$Consequence.ToXml() #getting timestamp $time = ($Event.TimeCreated) #getting user from eventlog $ldapconn = ($eventXML.Result.EventData.Data) #creating custom object and put all together #customobject with timestamp $eventobj = New-Object Organization.Object $eventobj | Add-Member -type NoteProperty -name AccessTime -Value $time $eventobj | Add-Member -type NoteProperty -proper noun LDAPAccess -Value (@($ldapconn) -join " ") #custom object witout timestamp $eventraw = New-Object System.Object $eventraw | Add-Fellow member -type NoteProperty -name LDAPAccess -Value (@($ldapconn) -join " ") #appending content to array $eventarraytime += $eventobj $eventarrayraw += $eventraw } #output data in rawformat to csv $eventarraytime | Export-Csv -Path "$csvoutputpath-fourth dimension.csv" -Encoding UTF8 -Delimiter ";" -NoTypeInformation $eventarrayraw | Export-Csv -Path "$csvoutputpath-raw.csv" -Encoding UTF8 -Delimiter ";" -NoTypeInformation #cleaning upwards double entries $eventstimecleared = $eventarraytime | Sort-Object -Unique LDAPAccess -Descending $eventstimecleared | Export-Csv -Path "$csvoutputpath-time-cleared.csv" -Encoding UTF8 -Delimiter ";" -NoTypeInformation $eventarraycleared = $eventarrayraw | Sort-Object -Unique LDAPAccess -Descending $eventarraycleared | Export-Csv -Path "$csvoutputpath-cleared.csv" -Encoding UTF8 -Delimiter ";" -NoTypeInformation } You tin re-create the consummate script into a ps1-file and trigger it with its parameter -WorkDir "Specify the path where it should re-create all outpout and evtx files"
NOTE: if evtx file is actually large (i-2GB) the execution of this script can accept several hours, be patient!
If y'all are a powershell pro, you can stop reading at this point, but if yous'd similar to know how it's working, I'll give some caption.
LINE 82:
$DCs = ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites | % { $_.Servers } | select Proper name).Name
This is a .Net Office to find all DCs with their FQDN, all lawmaking later on this line will be executed for every dc in variable $DCs (ForEach Loop)
LINE93:
$Events = Become-WinEvent @{Path=$evtxfile;Id=2889}
Searching inside the evtx file for effect id 2889 and get them in variable $Events
After this variable is available we need to take a await on every single event with another foreach loop.
LINE 100:
$eventXML = [xml]$Event.ToXml()
We need to catechumen the upshot to XML then nosotros get objects which can be searched and filtered by PowerShell.
LINE 104:
$ldapconn = ($eventXML.Event.EventData.Data)
In this instance data for ldap connexion is in this object (depends on structure
All other lawmaking is more often than not responsible to catechumen data and create a readable content for CSV files
In my testing environment there are only few ldap connections manually generated.
Information technology's as well possible to run the script more than than one time, because information technology adds the timestamp to every file nothing will exist overwritten. If you lot have any questions practice non hesitate to contact me and if you like this article delight click on "Helpful".
Lock downward your Advertising and close LDAP!
- Was this Helpful ?
- yes no
Source: https://blog.it-koehler.com/en/Archive/2951
Posted by: kistlercaude1987.blogspot.com
0 Response to "How To Find Ldap Server In Windows Domain"
Post a Comment