Ensure LDAP Signing on AD DS Domain Controllers
Make sure AD servers use secure communication to prevent unauthorised access.
Plain language
This control ensures that communications with Active Directory servers, which help manage user access in your organisation, are secure. If this isn't done, unauthorised people could spy on or tamper with communications, leading to potential data breaches or unauthorised access to sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Lightweight Directory Access Protocol signing is enabled on Microsoft AD DS domain controllers.
Why it matters
If LDAP signing is not enforced on AD DS domain controllers, attackers can tamper with LDAP traffic to gain unauthorised access.
Operational notes
Confirm Domain Controllers enforce LDAP signing via Group Policy and re-check regularly to detect drift after updates or changes.
Implementation tips
- IT team should configure LDAP signing: Review the current server configuration and ensure that LDAP signing is enabled. This helps secure the communication between servers and prevents tampering.
- System administrators should update server policies: Adjust the Group Policy settings on domain controllers to require LDAP signing. This is done through the Group Policy Management Console by navigating to the appropriate policies and enabling LDAP signing.
- IT team should test configurations: After implementing the LDAP signing requirement, conduct tests to ensure all applications and services can still connect to the domain controllers as expected, identifying any compatibility issues.
- IT managers should communicate changes: Inform relevant staff about what changes have been made to server settings and any potential impacts, particularly concerning application access that might be affected.
- Policy makers should update IT security policies: Ensure that organisational policies reflect the need for LDAP signing, documenting the change and why it was necessary for security. This may involve updating the IT security policy document and employee handbooks.
Audit / evidence tips
-
Askserver policy settings documentation: Request the document or report showing the Group Policy settings for domain controllers
GoodDocument shows a policy requiring LDAP signing for all domain controllers
-
Aska server configuration report: Request a detailed report from IT showing current settings for domain controllers
GoodReport confirms that LDAP signing is turned on for all domain controllers
-
Asktesting logs or results: Review logs or documents that show the results of LDAP signing functionality tests
GoodLogs show successful tests for all key systems with no critical failures
-
Askcommunication records: Check emails or meeting notes where changes to LDAP settings were explained to necessary staff
GoodCommunication records show clear instructions and potential impact assessments shared with staff
-
Askupdated IT security policies: Request the latest security policy documents that include LDAP signing requirements
GoodPolicies specifically mention LDAP signing as essential for server communications
Cross-framework mappings
How ISM-1929 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.5 | ISM-1929 requires enabling LDAP signing on AD DS domain controllers to ensure integrity of authentication-related directory communications | |
| Annex A 8.20 | ISM-1929 requires LDAP signing to be enabled on Microsoft AD DS domain controllers to protect directory authentication/integrity against ... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.17 | ISM-1929 requires LDAP signing on domain controllers so directory traffic cannot be altered in transit, reducing the likelihood of creden... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.