Skip to content
Control Stack logo Control Stack
ISM-1929 ASD Information Security Manual (ISM)

Ensure LDAP Signing on AD DS Domain Controllers

Make sure AD servers use secure communication to prevent unauthorised access.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGovernanceSecure communications

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Aug 2024

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Server application hardening

Topic

Microsoft Active Directory Domain Services Domain Controllers
Official control statement
Lightweight Directory Access Protocol signing is enabled on Microsoft AD DS domain controllers.

Source: ASD Information Security Manual (ISM)

Plain language

This control ensures that communications with Active Directory servers, which help manage user access in your organisation, are secure. If this isn't done, unauthorised people could spy on or tamper with communications, leading to potential data breaches or unauthorised access to sensitive information.

Why it matters

If LDAP signing is not enforced on AD DS domain controllers, attackers can tamper with LDAP traffic to gain unauthorised access.

Operational notes

Confirm Domain Controllers enforce LDAP signing via Group Policy and re-check regularly to detect drift after updates or changes.

Implementation tips

  • IT team should configure LDAP signing: Review the current server configuration and ensure that LDAP signing is enabled. This helps secure the communication between servers and prevents tampering.
  • System administrators should update server policies: Adjust the Group Policy settings on domain controllers to require LDAP signing. This is done through the Group Policy Management Console by navigating to the appropriate policies and enabling LDAP signing.
  • IT team should test configurations: After implementing the LDAP signing requirement, conduct tests to ensure all applications and services can still connect to the domain controllers as expected, identifying any compatibility issues.
  • IT managers should communicate changes: Inform relevant staff about what changes have been made to server settings and any potential impacts, particularly concerning application access that might be affected.
  • Policy makers should update IT security policies: Ensure that organisational policies reflect the need for LDAP signing, documenting the change and why it was necessary for security. This may involve updating the IT security policy document and employee handbooks.

Audit / evidence tips

  • Ask: server policy settings documentation: Request the document or report showing the Group Policy settings for domain controllers

    Good: Document shows a policy requiring LDAP signing for all domain controllers

  • Ask: a server configuration report: Request a detailed report from IT showing current settings for domain controllers

    Good: Report confirms that LDAP signing is turned on for all domain controllers

  • Ask: testing logs or results: Review logs or documents that show the results of LDAP signing functionality tests

    Good: Logs show successful tests for all key systems with no critical failures

  • Ask: communication records: Check emails or meeting notes where changes to LDAP settings were explained to necessary staff

    Good: Communication records show clear instructions and potential impact assessments shared with staff

  • Ask: updated IT security policies: Request the latest security policy documents that include LDAP signing requirements

    Good: Policies specifically mention LDAP signing as essential for server communications

Cross-framework mappings

How ISM-1929 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (2)
Annex A 8.5 ISM-1929 requires enabling LDAP signing on AD DS domain controllers to ensure integrity of authentication-related directory communications
Annex A 8.20 ISM-1929 requires LDAP signing to be enabled on Microsoft AD DS domain controllers to protect directory authentication/integrity against ...
Supports (1)
Annex A 5.17 ISM-1929 requires LDAP signing on domain controllers so directory traffic cannot be altered in transit, reducing the likelihood of creden...

Mapping detail

Mapping

Direction

Controls