LDAP channel binding and LDAP signature request for Windows: This is what you need to do now.
You may remember that on 13 August 2019, Microsoft issued a somewhat under-the-radar security advisory urging customers to change two Active Directory settings to protect their domain controllers. The recommended changes, which concern LDAP connections, may have a substantial impact on your IT infrastructure. And it’s important that you act now...
Written by
LDAP, developed in 1993 at the University of Michigan, provides a simple, uniform way to access object data. Over the years, it has proved to be a practical resource that functions quite well—perhaps too well as the interface has often been misused to acquire sensitive data from directory services in preparation of a cyber attack.
Microsoft has therefore pulled the plug on current default LDAP settings. The March 2020 Microsoft update will enable LDAP channel binding and LDAP signing (LDAPS) by default for Active Directory servers. This ensures that only requests with a certificate are accepted.
However, the tight time schedule confronts many customers with the challenge of establishing alternative solutions. Microsoft has now decided, in response to popular demand, to postpone the shutdown until the second half of the year. With this decision, Microsoft is granting its customers a one-time postponement to replace the LDAP interface still used in many legacy applications. Nevertheless, there is no time to lose at this point. A further delay is not to be expected due to security reasons.
What does this mean?
This change affects a large portion of your company’s IT infrastructure, namely any system that uses or is linked to AD authentication. Whether they work properly or not will depend on their compatibility with enabled LDAP channel binding and LDAP signing. After 20 March, all systems using LDAP without a certificate will no longer be available.
Which systems are affected?
This is a difficult question to answer. Because LDAP has been around for so long, the protocol is now used in numerous systems, from phone systems and multifunction printers to production lines and Wi-Fi infrastructure. Virtual appliances also need to access Active Directory data. The reality is that nearly all IT infrastructure components will be affected by the update in March.
What can you do?
The worst thing to do is ignore the security update that will be released on 20 March—it's safe to assume the vulnerabilities addressed in the update will catch the attention of unsavoury characters. What you do need to do is switch to signed LDAP connections, which isn’t difficult in and of itself. But do you know which of your systems use LDAP?
Instead of pulling out a crystal ball, let Bechtle perform a dual assessment for you, which will identify systems exchanging unsigned LDAP requests.
- LDAP Standard - The standard assessment uses special software installed on your domain controllers to inspect packets for LDAP requests and log them. This assessment records all LDAP requests to the Active Directory service.
- LDAP Advanced - The advanced assessment uses a network sniffer to analyse the LDAP traffic travelling through your core switches. It also records LDAP traffic exchanged between outside systems, such as appliances.
Please note that both assessments are able to detect only those systems which actively communicate during the assessment period. We therefore recommend beginning assessments as soon as possible.
