2020 LDAP channel binding and LDAP signing requirement for Windows

Updated 2/6/20

As you may have seen, a set of unsafe default configurations for LDAP channel binding and LDAP signing exist on Active Directory Domain Controllers that let LDAP clients communicate with them without enforcing LDAP channel binding and LDAP signing. This can open Active Directory domain controllers to elevation of privilege vulnerabilities.

Please read the full security advisory from Microsoft and follow these recommended steps at your earliest opportunity:

• Configure your systems to help make LDAP channel binding and LDAP signing on Active Directory Domain Controllers more secure.
• Find and fix any application compatibility issues in the environment.
• It’s important to validate your LDAP bind by using TLS or SSL. Plaintext will be rejected. Read more in this article from Citrix.

Microsoft will provide a Windows update that by default will change the LDAP channel binding and LDAP signing to more secure configurations. If you wish to be notified when the update is released, register for security notifications here.

Technologies that could be affected include Citrix ADC, firewalls and other Linux-based appliances.

If you have any questions around this advisory, please contact us at support@a2u.net.