Subject: Meeting the InCommon Assurance profile criteria using Active Directory
[AD-Assurance] simple LDAP bind monitor & mitigate
- From: Brian Arkills <>
- To: "" <>
- Subject: [AD-Assurance] simple LDAP bind monitor & mitigate
- Date: Fri, 15 Aug 2014 17:13:09 +0000
- Accept-language: en-US
Figured I should probably also send an email on this topic.
I’m in the process of creating a set of resources for this. I’ll likely publish these so anyone can re-use them. The artifacts I’m imagining will be:
· Powershell script that quickly grabs simple LDAP bind events (have this already)
· Powershell script that grabs simple LDAP bind events from last hour from your DCs and inserts them in a SQL database (have this already)
· Web page that leverages SQL database for:
o List of all offenders in last 24 hours
o List of all offenders in last 30 days
o Graph of number of offending logons per day
· Code which fires once/day based on the data from the last 24 hours that emails the offending users with a template supplying the most recent IP address, most recent timestamp, and source DC, explains why this is bad, tells them what to do (need to fix their LDAP application to use LDAPS)
· Web page that talks about how to reconfigure LDAP application to use LDAPS instead of LDAP.
· Web page that walks through deploying the above resources, which includes all the “glue” details like what permissions accounts need to do this, etc.
- [AD-Assurance] simple LDAP bind monitor & mitigate, Brian Arkills, 08/15/2014
Archive powered by MHonArc 2.6.16.