Port 3269 (TCP) – LDAP Global Catalog over SSL/TLS

What runs on port 3269?

Port 3269 carries the Active Directory Global Catalog over SSL/TLS. The Global Catalog is a special domain-controller role that holds a partial, searchable replica of every object in the entire forest — not just the local domain. Where plain LDAP on 389 and the plaintext Global Catalog on 3268 travel in cleartext, port 3269 wraps the same forest-wide queries in TLS, the secure counterpart to the encrypted per-domain LDAPS on 636.

Why it matters for security

The Global Catalog's value lies in its breadth: one query can enumerate users, groups, computers, and SPNs across every domain in the forest, making 3269 a prime reconnaissance target even when traffic is encrypted. Encryption protects the data in transit but does nothing against an authenticated or relayed bind, so captured NTLM authentication relayed to the Global Catalog can read or modify directory objects forest-wide.

How it's attacked

Attackers query the Global Catalog to enumerate the whole forest — feeding tools like BloodHound that map attack paths and privilege relationships across domains. They relay coerced NTLM authentication to 3269 to write directory changes, and they attempt certificate spoofing / MITM against clients that fail to validate the TLS certificate.

Hardening checklist

Enforce LDAP signing and channel binding on domain controllers so relayed NTLM fails, and disable anonymous binds. Restrict port 3269 to trusted management and application networks. Issue valid CA certificates and require clients to validate them to stop MITM. Audit Global Catalog queries and alert on bulk reads spanning multiple domains. The nmap scripts above read the RootDSE and inspect the TLS certificate on systems you are authorised to test. </content>