Secure LDAP is Mandatory for Active Directory
Share KeePass Passwords with your Team of multiple users
LDAP Channel Binding and LDAP Signing
Security Requirement Changes
Microsoft issued an significant advisory against the use of unsecure LDAP to Active Directory because of potential for attacks and misuse.
LDAPS should be used with Active Directory domain controllers.
Microsoft is bringing attention to these security features: "LDAP Signing and Channel Binding", which becomes enforced by default (July 2020 or later), or after applying security patch changes or windows security updates.
Note: Initially, March 2020 was the deadline, but this was delayed
Have Questions? Contact Us!
Impact Summary
These changes to Active Directory connections will affect users who use LDAP instead of LDAPS in their Active Directory. Users that already successfully communicating with LDAPS should not be affected by these changes (patch, registry changes, and/or subsequent Windows Update).
- Read Details below, to understand recommended changes
Impact Details
Currently by default LDAP traffic (without SSL/TLS) is unsigned and unencrypted making it vulnerable to man-in-the-middle attacks and eavesdropping.
After the patch or the windows update would be applied, LDAPS must be enabled with Active Directory. If LDAPS is not used, LDAP communications will fail with this error:
- LdapErr: DSID-0C090202 - "The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection"
Summary of Changes Required
- Use LDAPS (with SSL/TLS) (Port 636) with Active Directory connections
- Stop allowing unsecure binds with LDAP (Port 389)
- Apply recommend patch and changes
Verify Whether Password Server will be Affected
- To further validate that these changes will not be a problem for your application, please follow the recommendation steps (in the Overview Details, below) in your Test environment.
- Increase your logging details: https://keepasshub.com/info/keepass-hub/g-logging
- Look for Windows Event IDs of 2887
Change Timeline
- July 2020 (or later) - Windows update will enforce changes by default
- "LDAP signing and channel binding" by default on domain controllers
- March 20, 2020 - New features available
- Server hardening features will be available (for audit events, additional logging, and changes to Group Policy values)
- August 13, 2019 - Security Advisory notice
- ADV190023 published to introduce LDAP channel binding and LDAP signing support.
- July, 2017 - Microsoft introduced a security patch
- "Extended Protection for Authentication" security feature, a recommends creating a LdapEnforceChannelBinding registry setting
Overview Details
In summarizing what Microsoft has encouraged users, here are the main summary points:
1) Apply this Security Patch (CVE-2017-8563) on all machines that currently
A) host AD domain controllers, or,
B) which communicate via LDAP - e.g. Password Server machine (not the desktop client machines)
2) Modify Domain Controllers: Enable LDAP Signing and LDAP CBT (Channel Binding Tokens)
- Create the registry settings (for AD and ADLDS) on each domain controller:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters --> LdapEnforceChannelBinding = 1
3) Stop using simple LDAP (port 389)
- Configure Password Server to use LDAPS with SSL/TLS over port 636
4) OTHERWISE - Main Concerns are:
The main concern is to regularly audit & build a list of which systems or accounts are making unsecure binds with LDAP:
- Audit the Event IDs 2889 (Directory Services log)
5) TURNING OFF:
- Not Recommended:
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters --> LDAPServerIntegrity = 0
Official References:
- Advisory - https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
- Original Microsoft Explanation - https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows
- Patch - https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8563
- Microsoft How To's:
- General - https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry
- Server 2008 - https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008
- Enable LDAP Logging - https://support.microsoft.com/en-ca/help/314980/how-to-configure-active-directory-and-lds-diagnostic-event-logging
Community References/Explanations:
- https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/trouble/12_5_1/fieldNotice/cucm_b_fn-secure-ldap-mandatory-ad.html
- https://astrix.co.uk/news/2020/1/31/how-to-set-up-secure-ldap-for-active-directory
- https://isc.sans.edu/forums/diary/March+Patch+Tuesday+is+Coming+the+LDAP+Changes+will+Change+Your+Life/25796/
- https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-march-update/ba-p/921536