In August 2019, Microsoft discovered “a set of unsafe default configurations for LDAP channel binding and LDAP signing [that] exist on Active Directory Domain Controllers”. This lets LDAP clients communicate with the AD Domain Controller without enforcing the proper channel binding or signing, which opens up security vulnerabilities. The primary takeaway for Tools4ever’s clients is that our integrations will not be affected by the update.
The March 2020 updates will “add new audit events, additional logging, and a remapping of Group Policy values that will enable hardening LDAP Channel Binding and LDAP Signing”. This change impacts how applications and services connect to AD—specifically, updating LDAP client authentication by restricting the acceptable connection types. The update will remove Simple Authentication and Security Layer (SASL) binds for nonSSL/TLS-encrypted traffic. Neither LDAP signing nor channel binding or their registry equivalent will be changed on any domain controllers.
As none of Tools4ever’s integrations are client-authenticated, the March 2020 update will have no effect on them.
Prior to the March 2020 update, administrators may manually patch this vulnerability with more secure configurations for LDAP channel binding and LDAP signing on Active Directory Domain Controllers.
In a second half of 2020/End of Year update, Microsoft will enable LDAP signing and channel binding on domain controllers configured with default values for the associated settings.
As per Microsoft’s recommendations:
“Administrators can prevent the feature update from making those changes either by enabling LDAP signing and channel binding NOW or by configuring non-default values prior to installing updates that enable LDAP signing and channel binding by default.”
For more information, please refer to Microsoft Security Advisory ADV190023: