NEW March 2020 Windows Updates Do Not Include LDAP Signing or Channel Binding Policies

by Michael Trantas
Senior Solutions Architect

Update: February 17, 2020

Microsoft had originally planned to deploy a Windows Update in March 2020 which would change the behavior by enforcing LDAP signing and channel binding on domain controllers. Microsoft has now changed the timeline on the update release, noting that the March 2020 update will add new audit events, additional logging, and a remapping of Group Policy values that will enable hardening LDAP Channel Binding and LDAP Signing. The March 2020 updates do not make changes to LDAP signing or channel binding policies or their registry equivalent on new or existing domain controllers.

A further future monthly update, anticipated for release the second half of calendar year 2020, will enable LDAP signing and channel binding on domain controllers configured with default values for those settings.

Administrators can prevent the feature update from making those change either by enabling LDAP signing and channel binding NOW or by configuring non-default values prior to installing updates that enable LDAP signing and channel binding by default.

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 (v1.3)

Previous Post: January 30, 2020

Lightweight Directory Access Protocol, or LDAP, is a method used to read or write from LDAP Clients to Active Directory Domain Controllers. Microsoft has recently identified a vulnerability in the default configuration for unsecured LDAP communications that could allow an unwarranted elevation of privileges. Microsoft is advising that administrators to enable LDAP channel binding and LDAP signing on all Active Directory Domain Controllers.

The vulnerability described in Microsoft Security Advisory ADV190023, states that the default Active Directory LDAP configuration is vulnerable to man-in-the-middle attacks that could allow a malicious user to intercept and forward impersonated authentication requests to an LDAP server or Domain Controller, which has not been configured to require signing of incoming connections. This presents a significant problem for businesses that require secure communications between clients and servers.

Microsoft is planning on releasing a security update in March 2020 via Windows Update to all Operating Systems currently under Microsoft support. For Windows platforms that are out of standard support, this Security Update will only be available through the applicable extended support programs, such as Extended Security Updates (ESU).

Once applied, this fix will default enable LDAP channel binding and LDAP signing on Active Directory servers. Once this occurs, it can have a significant impact on any new or existing LDAP client-server communications.

To prevent an interruption in service and any system incompatibilities, Helient is recommending that administrators begin manually enabling LDAP channel binding and signing before March 2020 and performing significant testing. If a compatibility issue is found, this should provide administrators enough time to work with Helient and/or the application, device or system vendor for an alternate type of communication.

More information regarding the upcoming, planned security update can be found in the Microsoft KB Article – 4520412.

If you have any questions about this upcoming Microsoft update, LDAP(s) configuration assistance, or need further assistance, please contact us at service@helient.com.