Tag Archives: LDAP

Event data mining with PowerShell

On Server 2008 and 2008 R2, if your Domain Controllers aren’t configured to require LDAP signing and disallow simple LDAP binds in plaintext, Active Directory Domain Services logs a warning event on startup, and summary events every 24 hours.

A couple weeks ago, I followed the recommendation to enable logging of unsigned and plaintext LDAP authentication requests. Setting the LDAP Interface Events value to 2 generates a Directory Services event 2889 for each connection.

Now I want to do some analysis of the collected events. The event structure puts the important details, namely the client name and IP address, in the big description text field. It looks like this:

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 11/3/2010 11:46:38 AM
Event ID: 2889
Task Category: LDAP Interface
Level: Information
Keywords: Classic
User: ANONYMOUS LOGON
Computer: CDC01.campus.ad.uvm.edu
Description:
The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection.

Client IP address:
132.198.124.202:53298
Identity the client attempted to authenticate as:
CAMPUSmyhost0256BB4$

Previously, I’ve exported the logs to CSV format, then used Excel and some text-mangling functions to pull out the important details. But I noted that the two important values were nicely separated in the XML representation of the event:

Event Xml: 
 
   
     
    2889
    0 
    4 
    16 
    0 
    0x8080000000000000 
     
    122013 
     
     
    Directory Service 
    CDC01.campus.ad.uvm.edu 
     
   
   
    132.198.124.202:53298 
    CAMPUSmyhost0256BB4$ 
   

Continue reading

Thursday – March 5

Goal for today: get auto_provisioning script working.

Feeling cold; AC is blowing strong and winning the HVAC smackdown.

Made lots of progress on provisioning scripts, then hit brick wall: Need IO::Socket::SSL and Net::SSLeay in order to do Net::LDAP->starttls, and the perldap package from UWinnipeg for Perl 5.10 doesn’t have these available.

Do I try to compile myself and build PPMs? Ugh.

Maybe ActivePerl 5.8 x64 would get the job done…