2020 LDAP channel binding and LDAP signing requirement for Windows

Applies to: Windows 10, version 1903Windows 10, version 1809Windows Server 2019, all versions

Summary


LDAP channel binding and LDAP signing provide ways to increase the security of network communications between an Active Directory Domain Services (AD DS) or an Active Directory Lightweight Directory Services (AD LDS) and its clients. There is a vulerability in the default configuration for Lightweight Directory Access Protocol (LDAP) channel binding and LDAP signing and may expose Active directory domain controllers to elevation of privilege vulnerabilities.  Microsoft Security Advisory ADV190023 address the issue by recommending the administrators enable LDAP channel binding and LDAP signing on Active Directory Domain Controllers. This hardening must be done manually until the release of the security update that will enable these settings by default. 

Microsoft intends to release a security update on Windows Update to enable LDAP channel binding and LDAP signing hardening changes and anticipate this update will be available in mid-January 2020.

Why this change is needed


Microsoft recommends administrators make the hardening changes described in ADV190023 because when using default settings, an elevation of privilege vulnerability exists in Microsoft Windows that could allow a man-in-the-middle attacker to successfully forward an authentication request to a Windows LDAP server, such as a system running AD DS or AD LDS, which has not configured to require signing or sealing on incoming connections.  The security of a directory server can be significantly improved by configuring the server to reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) or to reject LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. SASLs may include protocols such as the Negotiate, Kerberos, NTLM, and Digest protocols. Unsigned network traffic is susceptible to replay attacks in which an intruder intercepts the authentication attempt and the issuance of a ticket. The intruder can reuse the ticket to impersonate the legitimate user. Additionally, unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures packets between the client and the server, changes the packets, and then forwards them to the server. If this occurs on an LDAP server, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client.

Recommended actions


We strongly advise administrators to enable LDAP channel binding and LDAP signing between now and mid-January 2020 to find and fix any operating systems, applications or intermediate device compatibility issues in their environment.  If any compatibility issue is found, administrators will need to contact the manufacturer of that particular OS, application or device for support.

Important Any OS version, application and intermediate device that performs a man-in-the-middle inspection of LDAP traffic are most likely to be impacted by this hardening change.

Security update schedule


Microsoft is targeting the following schedule to enable LDAP channel binding and LDAP signing support. Please note that the timeline below is subject to change. We will update this page as the process begins and as needed.

Target Date

Event

Applies To

August 13, 2019

Take Action: Microsoft Security Advisory ADV190023 published to introduce LDAP channel binding and LDAP signing support. Administrators will need to test these settings in their environment after manually adjusting them on their servers.

Windows Server 2008 SP2,
Windows 7 SP1,

Windows Server 2008 R2 SP1,

Windows 8.1,
Windows Server 2012 R2,
Windows 10 1507,
Windows Server 2016,
Windows 10 1607,
Windows 10 1703,
Windows 10 1709,
Windows 10 1803,
Windows 10 1809,
Windows Server 2019,

Windows 10 1903

January 2020

Required: Security Update available on Windows Update for all supported Windows platforms that will enable LDAP channel binding and LDAP signing on Active Directory servers by default.

Windows Server 2008 SP2,
Windows 7 SP1,

Windows Server 2008 R2 SP1,

Windows 8.1,
Windows Server 2012 R2,
Windows 10 1507,
Windows Server 2016,
Windows 10 1607,
Windows 10 1703,
Windows 10 1709,
Windows 10 1803,
Windows 10 1809,
Windows Server 2019,

Windows 10 1903

Frequently Ask Questions