Microsoft are planning to release a security update in March 2020 that will amend the default configuration for LDAP channel binding and LDAP signing, as outlined in this advisory.
5th February 2020 UPDATE – Microsoft have announced a change to the release of the patch/advisory meaning that it will now only add additional logging activity for LDAP activity.
Updated content is now available here.
Windows Updates in March 2020 add new audit events, additional logging, and a remapping of Group Policy values that will enable hardening LDAP Channel Binding and LDAP Signing. The March 2020 updates do not make changes to LDAP signing or channel binding policies or their registry equivalent on new or existing domain controllers.
A further future monthly update, anticipated for release the second half of calendar year 2020, will enable LDAP signing and channel binding on domain controllers configured with default values for those settings.
Microsoft recommends that the hardening changes described in the advisory be performed before the roll-out of the update to ensure minimal downtime faced by customers. Microsoft Windows client devices require a hotfix to be installed before the configuration change or update is deployed on a Domain Controller.
How does this impact me?
The key thing here is that if you have applications/services that make use of LDAP via your Active Directory using TCP/389 rather than LDAP/S, your services could be impacted once the patch is implemented.
The new default behaviour means that any clear text LDAP on TCP/389 will not function. It is not clear at this point if the behaviour can be overridden (and we would not recommend this from a Security perspective).
NOTE: Ultima managed service customers will be contacted soon around the requirements of these changes.
What kind of Vendors/Products are impacted ?
Most vendor solutions offer the ability to configure LDAP integration using Clear Text LDAP (TCP/389) but also secured LDAP/S (TCP 636).
We recommend testing of the new hardened options as soon as possible to validate inter-operability with other products ahead of the release of the Patch, expected in March.
Any 3rd party product that uses LDAP for Directory level integration could be impacted by this change.
Some of Ultima’s strategic vendor partners have released a statement on the patch, please click below to view:
Coming soon:
Ultima are offering a Planning & Risk Assessment for your infrastructure to review the configuration and platforms that are utilising LDAP and any potential issues. Further details around this will be released shortly.
Reference Articles from Microsoft and the Fix
This advisory is a way of mitigating CVE-2017-8563, a Windows Elevation of Privilege Vulnerability and it also highlights the KB relating to the client required hotfix.
Please find some useful resources below:
- Advisory
- Registry Entry
- LDAP channel binding and LDAP signing
- Enable LDAP signing
- How to enable LDAP/S with a CA
- Microsoft Technical Security Notifications
- Vulnerability
Related Resources
The Foundations of Intelligent Infrastructure in Financial Services
An intelligent financial services firm is nimble, slick and clever. It out-performs its competitors by out-innovating them...
The Foundations of Intelligent Business
Successful execution of strategy requires alignment in every part of the business. Pockets of excellence are not enough. You need intelligence at every level – from the foundations up...
Foundations of Intelligent Infrastructure
An intelligent business is nimble, slick and clever. It out-performs its competitors by out-innovating them. And it’s built on intelligent infrastructure from the foundations up...
