Executive Summary
LDAP channel binding and LDAP signing provide for secure communications between LDAP clients and servers in an Active Directory Domain. The default configurations for binding and signing are unsafe because they permit LDAP clients to communicate with servers in a manner that opens the door to man-in-the-middle, impersonation, and elevation of privilege attacks. In the second half of 2020, a planned Microsoft security update will change the LDAP channel binding and LDAP signing to more secure configurations. This change may disrupt clients that rely on the unsafe methods.
Further Information
This change may especially impact legacy services configured before signing and secure LDAP authentication were more widespread. Services that rely on third-party LDAP frameworks may represent areas to review. This will impact any service that binds via LDAP rather than LDAPS with properly trusted certificates. One specific example could be AD-bound MacOS clients where the output of dsconfigad -show should reflect a “Packet signing” value of allow OR require and a “Packet encryption” value of ssl. This, however, may not be the default behavior and could require rebinding clients.
Third-party PowerShell modules are available for enabling diagnostics / reporting on insecure LDAP binds. These have not been tested or verified by REN-ISAC.
It may be possible to roll back LDAP signing and channel binding after the planned 2020 update by editing the related registry keys [guidance document 1, guidance document 2]; however, doing so may re-open attack vectors such as MITM or relaying.