locked
ATA - False Positive: LDAP simple bind RRS feed

  • Question

  • I have installed ATA GA-version in our domain-environment. Now I get this alarm:
    Services Exposing Account Credentials. Services running on "serverx" exposed "usernamex's" credentials in cleartext using LDAP simple bind.

    When I run Microsoft Network Monitor-tool, I can see that LDAP's authentication type query is SASL:
    34764 9:47:33 3.9.2015 18.9314568 dc.domain.com domain.com LDAPMessage LDAPMessage:Bind Request, MessageID: 3656
    Authentication: PrincipalName: ldap/dc.domain.com/domain.com, Authentication type = sasl

    Is it possible that this alarm is false positive? So that ATA recognize this network traffic in wrong way?

    In general, this program looks really good.

    Thursday, September 3, 2015 7:13 AM

All replies

  • Hi dzeidzei1,

    Could it be the activity you manage to catch is not the one that triggered the alert?

    Most likely there been other activity from the same machine that uses simple bind.

    If you have evidence that the alert that was triggered in ATA caused by this specific bind request, then this is require some more investigation. I assume in the packet you capture you do not see clear-text credentials - right?

    Thanks,

          Microsoft ATA Team.

    Thursday, September 3, 2015 11:33 AM