LDAP channel binding and LDAP signing provide ways to increase the security for communications between LDAP clients and Active Directory domain controllers.

Describes the LdapEnforceChannelBinding registry setting that is used to enable the fix decribed in CVE-2017-8563.

Introduction. Find answers to frequently asked questions about the changes to Lightweight Directory Access Protocol (LDAP). To learn more, go to ADV190023. Contents. What resources should I read to prepare to successfully deploy LDAP Channel Binding and LDAP signing? What issues do you foresee with enforcing LDAP signing?

Summary. Microsoft is aware of PetitPotam which can potentially be used to attack Windows domain controllers or other Windows servers. PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers. For example: Microsoft Security Advisory 974926.

Internet directory services, also known as LDAP services, are used to find e-mail addresses that are not in your local Outlook contacts. Directory services search directories on other servers to look up names and other information that can then be viewed in Outlook.

The update addresses this vulnerability by incorporating support for Extended Protection for Authentication security feature, which allows the LDAP server to detect and block such forwarded authentication requests once enabled. To learn more about the vulnerability, see CVE-2017-8563.

You notice that Lightweight Directory Access Protocol (LDAP) or Kerberos responses from the domain controller are delayed by 2 to 5 seconds. When the issue occurs, the Lsass.exe process CPU usage is low (even lower than usual). Around the same time (but up to a 4-hour offset), you may receive Netlogon warning event 5807.

The Netlogon Remote Protocol remote procedure call (RPC) interface is primarily used to maintain the relationship between a device and its domain , and relationships among domain controllers (DCs) and domains. This update protects Windows devices from CVE-2022-38023 by default.

Transport Layer Security (TLS) 1.0 and 1.1 are security protocols for creating encryption channels over computer networks. Microsoft has supported them since Windows XP and Windows Server 2003. However, regulatory requirements are changing. Also, there are new security weaknesses in TLS 1.0.

Symptoms. You have an application that searches the Active Directory with paged searches using ldap_search_ext or ldap_search_ext_s, and it is set to chase referrals. When it searches off the root of a domain NC, the paged searches end prematurely after the first page.