There are many security risks with running Active Directory. In the Year 2022, one of these is still running your Active Directory with unsigned/simple ldap binds.

If you don’t already have a PKI environment setup you should probably work to set one up so you can get certificates on your Domain Controllers that are trusted by your businesses devices so unsigned/simple binds can be retired.

A script I’ve found very helpful for monitoring the Domain Controller firewall logs for these events is located here:

https://github.com/russelltomkins/Active-Directory/blob/master/Query-InsecureLDAPBinds.ps1

Here is the Microsoft Article on enabling LDAP signing:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-signing-in-windows-server

Here is the Microsoft Article from 2020 regarding the changes they were planning on making to turn this feature off.

https://support.microsoft.com/en-us/topic/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a

You can enable LDAP over SSL with a third-party certification authority if you don’t have your own PKI.

https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority

I’ll have another blog forthcoming regarding setting up an in-house PKI securely.