Updated 01/09/2024

See new content in January 9, 2024 updates.

Introduction

LDAP channel binding and LDAP signing provide ways to increase the security for communications between LDAP clients and Active Directory domain controllers. A set of unsafe default configurations for LDAP channel binding and LDAP signing exist on Active Directory domain controllers that let LDAP clients communicate with them without enforcing LDAP channel binding and LDAP signing. This can open Active Directory domain controllers to an elevation of privilege vulnerability.

This vulnerability could allow a man-in-the-middle attacker to successfully forward an authentication request to a Microsoft domain server which has not been configured to require channel binding, signing, or sealing on incoming connections.

Microsoft recommends administrators make the hardening changes described in ADV190023.

On March 10, 2020 we are addressing this vulnerability by providing the following options for administrators to harden the configurations for LDAP channel binding on Active Directory domain controllers:

  • Domain controller: LDAP server channel binding token requirements Group Policy.

  • Channel Binding Tokens (CBT) signing events 3039, 3040, and 3041 with event sender Microsoft-Windows-Active Directory_DomainService in the Directory Service event log.

Important: The March 10, 2020 updates, and updates in the foreseeable future, will not change LDAP signing or LDAP channel binding default policies or their registry equivalent on new or existing Active Directory domain controllers.

The LDAP signing Domain controller: LDAP server signing requirements policy already exists in all supported versions of Windows. Starting with Windows Server 2022, 23H2 Edition, all new versions of Windows will contain all the changes in this article.

Why this change is needed

The security of Active Directory domain controllers can be significantly improved by configuring the server to reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) or to reject LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. SASLs may include protocols such as the Negotiate, Kerberos, NTLM, and Digest protocols.

Unsigned network traffic is susceptible to replay attacks in which an intruder intercepts the authentication attempt and the issuance of a ticket. The intruder can reuse the ticket to impersonate the legitimate user. Additionally, unsigned network traffic is susceptible to man-in-the-middle (MiTM) attacks in which an intruder captures packets between the client and the server, changes the packets, and then forward them to the server. If this occurs on an Active Directory Domain Controller, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client. LDAPS uses its own distinct network port to connect clients and servers. The default port for LDAP is port 389, but LDAPS uses port 636 and establishes SSL/TLS upon connecting with a client.

Channel binding tokens help make LDAP authentication over SSL/TLS more secure against man-in-the-middle attacks.

March 10, 2020 updates

Important The March 10, 2020 updates do not change LDAP signing or LDAP channel binding default policies or their registry equivalent on new or existing Active Directory domain controllers.

Windows updates to be released on March 10, 2020 add the following features:

  • New events are logged in the Event Viewer related to LDAP channel binding. See Table 1 and Table 2 for details of these events.

  • A new Domain controller: LDAP server channel binding token requirements Group Policy to configure LDAP channel binding on supported devices.

The mapping between LDAP Signing Policy settings and registry settings are included as follows:

  • Policy Setting: "Domain controller: LDAP server signing requirements"

  • Registry Setting: LDAPServerIntegrity

  • DataType: DWORD

  • Registry Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

Group Policy Setting

Registry Setting

None

1

Require Signing

2

The mapping between LDAP Channel Binding Policy settings and registry settings are included as follows:

  • Policy Setting: "Domain controller: LDAP server channel binding token requirements"

  • Registry Setting: LdapEnforceChannelBinding

  • DataType: DWORD

  • Registry Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters  

Group Policy Setting

Registry Setting

Never

0

When Supported

1

Always

2

Table 1: LDAP signing events

Description

Trigger

2886

The security of these domain controllers can be significantly improved by configuring the server to enforce validation of LDAP signing.

Triggered every 24 hours, on startup or start of service if the Group Policy is set to None. Minimum Logging Level: 0 or higher

2887

The security of these domain controllers can be improved by configuring them to reject simple LDAP bind requests and other bind requests that do not include LDAP signing.

Triggered every 24 hours when Group Policy is set to None and at least one unprotected bind was completed. Minimum Logging Level: 0 or higher

2888

The security of these domain controllers can be improved by configuring them to reject simple LDAP bind requests and other bind requests that do not include LDAP signing.

Triggered every 24 hours when Group Policy is set to Require Signing and at least one unprotected bind was rejected. Minimum Logging Level: 0 or higher

2889

The security of these domain controllers can be improved by configuring them to reject simple LDAP bind requests and other bind requests that do not include LDAP signing.

Triggered when a client does not use signing for binds on sessions on port 389. Minimum Logging Level: 2 or higher

Table 2: CBT events

Event

Description

Trigger

3039

The following client performed an LDAP bind over SSL/TLS and failed the LDAP channel binding token validation.

Triggered in any of the following circumstances:

  • When a client attempts to bind with an improperly formatted Channel Binding Token (CBT) if the CBT Group Policy is set to When Supported or Always.

  • When a client that is capable of channel binding does not send a CBT if the CBT Group Policy is set to When Supported. A client is capable of channel binding if the EPA feature is installed or available in the OS and not disabled through the registry setting SuppressExtendedProtection. To learn more, see KB5021989.

  • When a client does not send a CBT if the CBT Group Policy is set to Always.

Minimum logging level: 2

3040

During the previous 24 hour period, # of unprotected LDAPs binds were performed.

Triggered every 24 hours when CBT Group Policy is set to Never and at least one unprotected bind was completed. Minimum logging level: 0

3041

The security of this directory server can be significantly improved by configuring the server to enforce validation of LDAP channel binding tokens.

Triggered every 24 hours, on startup or start of service if the CBT Group Policy is set to Never. Minimum logging level: 0

To set the logging level in the registry, use a command that resembles the following:

Reg Add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2

For more information how to configure Active Directory diagnostic event logging, see How to configure Active Directory and LDS diagnostic event logging.

August 8, 2023 updates

Some client machines cannot use LDAP channel binding tokens to bind to Active Directory domain controllers (DCs). Microsoft will release a security update on August 8, 2023. For Windows Server 2022, this update adds options for administrators to audit these clients. You can enable CBT events 3074 and 3075 with the event source **Microsoft-Windows-ActiveDirectory_DomainService** in the Directory Service event log.

Important The August 8, 2023, update does not change LDAP signing, LDAP channel binding default policies, or their registry equivalent on new or existing Active Directory DCs.

All the guidance in the March 2020 updates section applies here as well. The new auditing events will require the policy and registry settings outlined in the guidance above. There is also an enablement step to see the new audit events. The new implementation details are in the Recommended Actions section below.

Table 3: CBT events

Event

Description

Trigger

3074

The following client performed an LDAP bind over SSL/TLS and would have failed the channel binding token validation if the directory server was configured to enforce validation of Channel Binding Tokens.

Triggered in any of the following circumstances:

  • When a client attempts to bind with an improperly formatted Channel Binding Token (CBT)

Minimum logging level: 2

3075

The following client performed an LDAP bind over SSL/TLS and did not provide Channel Binding Information. When this directory server is configured to enforce validation of Channel Binding Tokens, this bind operation will be rejected.

Triggered in any of the following circumstances:

  • When a client that is capable of channel binding does not send a CBT

  • A client is capable of channel binding if the EPA feature is installed or available in the OS and not disabled through the registry setting SuppressExtendedProtection. To learn more, see KB5021989.

Minimum logging level: 2

Note When you set the logging level to at least 2, Event ID 3074 is logged. Administrators can use this to audit their environment for clients that do not work with channel binding tokens. The events will contain the following diagnostic information to identify the clients:

Client IP address: 192.168.10.5:62709 Identity the client attempted to authenticate as: CONTOSO\Administrator Client supports channel binding:FALSE Client permitted in when supported mode:TRUE Audit result flags:0x42

October 10, 2023 updates

The auditing changes added in August 2023 are now available on Windows Server 2019. For that OS, this update adds options for administrators to audit these clients. You can enable CBT events 3074 and 3075. Use the event source **Microsoft-Windows-ActiveDirectory_DomainService** in the Directory Service event log.

Important The October 10, 2023, update does not change LDAP signing, LDAP channel binding default policies, or their registry equivalent on new or existing Active Directory DCs.

All the guidance in the March 2020 updates section applies here as well. The new auditing events will require the policy and registry settings outlined in the guidance above. There is also an enablement step to see the new audit events. The new implementation details are in the Recommended Actions section below.

November 14, 2023 updates

The auditing changes added in August 2023 are now available on Windows Server 2022. You do not need to install MSIs or create policies as mentioned in Step 3 of Recommended Actions.

January 9, 2024 updates

The auditing changes added in October 2023 are now available on Windows Server 2019. You do not need to install MSIs or create policies as mentioned in Step 3 of Recommended Actions.

Recommended actions

We strongly advise customers to take the following steps at the earliest opportunity:

  1. Ensure that the March 10, 2020, or later Windows updates are installed on domain controller (DC) role computers. If you want to enable LDAP Channel Binding audit events, ensure that the August 8, 2023, or later updates are installed on Windows Server 2022 or Server 2019 DCs.

  2. Enable LDAP events diagnostic logging to 2 or higher.

  3. Enable the August 2023 or October 2023 Auditing Event updates using Group Policy. You can skip this step if you have installed the November 2023 or later updates on Windows Server 2022. If you have installed the January 2024 or later updates on Windows Server 2019, you can also skip this step.

  4. Monitor the Directory services event log on all DC role computers filtered for:

    • LDAP Signing failure event 2889 in Table 1.

    • LDAP Channel Binding failure event 3039 in Table 2.

    • LDAP Channel Binding audit events 3074 and 3075 in Table 3.

      Note Events 3039, 3074, and 3075 can only be generated when Channel Binding is set to When Supported or Always.

  5. Identify the make, model, and type of device for each IP address cited by:

    • Event 2889 for making unsigned LDAP calls

    • Event 3039 for not using LDAP Channel Binding

    • Event 3074 or 3075 for not being capable of LDAP Channel Binding

Device types

Group device types into 1 of 3 categories:

  1. Appliance or router -

    • Contact the device provider.

  2. Device that does not run on a Windows operating system -

    • Verify that both LDAP channel binding and LDAP signing are supported on the operating system and the application. Do this by working with the operating system and application provider.

  3. Device that does run on a Windows operating system -

    • LDAP signing is available to use by all applications on all supported versions of Windows. Verify that your application or service is using LDAP signing.

    • LDAP channel binding requires that all Windows devices have CVE-2017-8563 installed. Verify that your application or service is using LDAP channel binding.

Use local, remote, generic, or device-specific tracing tools. These include network captures, process manager, or debug traces. Determine whether the core operating system, a service, or an application is performing unsigned LDAP binds or is not using CBT.

Use Windows Task Manager or an equivalent to map the process ID to process, service, and application names.

Security update schedule

The March 10, 2020 update added controls for administrators to harden the configurations for LDAP channel binding and LDAP signing on Active Directory domain controllers. The August 8 and October 10, 2023 updates add options for administrators to audit client machines that cannot use LDAP channel binding tokens. We strongly advise customers to take the actions recommended in this article at the earliest opportunity.

Target Date

Event

Applies To

March 10, 2020

Required: Security Update available on Windows Update for all supported Windows platforms.

Note For Windows platforms that are out of standard support, this security update will only be available through the applicable extended support programs.

LDAP channel binding support was added by CVE-2017-8563 on Windows Server 2008 and later versions. Channel binding tokens are supported in Windows 10, version 1709 and later versions.

Windows XP does not support LDAP channel binding and would fail when LDAP channel binding is configured by using a value of Always but would interoperate with DCs configured to use more relaxed LDAP channel binding setting of When supported.

Windows Server 2022

Windows 10, version 20H2

Windows 10, version 1909 (19H2) Windows Server 2019 (1809 \ RS5) Windows Server 2016 (1607 \ RS1) Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 SP1 (ESU) Windows Server 2008 SP2 (Extended Security Update (ESU))

August 8, 2023

Adds LDAP channel binding token auditing events (3074 & 3075). They are disabled-by-default on Windows Server 2022.

Windows Server 2022

October 10, 2023

Adds LDAP channel binding token auditing events (3074 & 3075). They are disabled-by-default on Windows Server 2019.

Windows Server 2019

November 14, 2023

LDAP channel binding token auditing events are available on Windows Server 2022 without installing an enablement MSI (as described in Step 3 of Recommended Actions).

Windows Server 2022

January 9, 2024

LDAP channel binding token auditing events are available on Windows Server 2019 without installing an enablement MSI (as described in Step 3 of Recommended Actions).

Windows Server 2019

Frequently asked questions

For answers to frequently asked questions about LDAP channel binding and LDAP signing on Active Directory domain controllers, see:

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.