You may notice the warning event “NTDS General – The security of this directory server can be significantly enhanced by configuring the server to reject SASL….” in event viewer for the Active Directory Domain Services with regards to LDAP bind. To get rid of the event warning, you can add a Group Policy to configure all domain controllers to reject unsigned and simple LDAP bind requests.
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Perform the following on a domain controller or a computer that has Remote Server Administration Tools installed.
- Open the Group Policy Management Console
- Expand Forest, Domains objects until you locate the domain object for the set of domain controllers you want to configure.
- Expand the Domain Controllers object, right-click Default Domain Controllers Policy and then click Edit.
- Expand the following objects in the Group Policy Management Editor: Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, Security Options.
- In the right hand pane, double-click the Domain controller: LDAP server signing requirements policy.
- Ensure that the Define this policy setting check box is checked and then select Require Signing in the drop down box and click OK.
- Review the information in the Confirm Setting Change dialog box and then click the Yes button to continue and save the change.
That should stop the warning events for LDAP signing in event viewer.