Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing

ADV190023

Security Advisory

Released: Aug 13, 2019

Last updated: Jan 9, 2024

Assigning CNA: Microsoft

Impact: None

Max Severity: None

Executive Summary

LDAP channel binding and LDAP signing provide ways to increase the security for communications between LDAP clients and Active Directory domain controllers. A set of unsafe default configurations for LDAP channel binding and LDAP signing exist on Active Directory domain controllers that let LDAP clients communicate with them without enforcing LDAP channel binding and LDAP signing. This can open Active Directory domain controllers to an elevation of privilege vulnerability.

Microsoft is aware that when these default configurations are used, an elevation of privilege vulnerability exists in Microsoft Windows that could allow a man-in-the-middle attacker to successfully forward an authentication request to a Windows LDAP server, such as a system running AD DS, which has not configured to require channel binding, and signing or sealing on incoming connections.

Microsoft is addressing this vulnerability by providing recommendations for administrators to harden the configurations for LDAP channel binding and LDAP signing on Active Directory domain controllers as follows:

In August 2019, Microsoft published ADV190023 with the following recommendations for settings:
1. LDAP signing to Require Signing in group policy.
2. Channel Binding Token (CBT) to 1 as a registry key or set the Domain controller: LDAP server channel binding token requirements group policy to When Supported after installing the March 10, 2020 updates.
On March 10, 2020, Windows updates will add options for administrators to harden the configurations for LDAP channel binding on Active Directory domain controllers. The updates add:
1. Domain controller: LDAP server channel binding token requirements group policy.
2. CBT signing events 3039, 3040, and 3041 with event source Microsoft-Windows-ActiveDirectory_DomainService in the Directory Service event log.
On August 8, 2023, Windows Updates for Server 2022 will add options for administrators to audit client machines that cannot utilize LDAP channel binding tokens via events on Active Directory domain controllers. The updates add the capability to enable CBT events 3074 & 3075 with event source Microsoft-Windows-ActiveDirectory_DomainService in the Directory Service event log.
On October 10, 2023, Windows updates for Server 2019 will add options for administrators to audit those clients. The updates add the capability to enable CBT events 3074 & 3075 with event source Microsoft-Windows-ActiveDirectory_DomainService in the Directory Service event log.
On October 17, 2023, Microsoft released Windows Server 2022, 23H2 Edition (Server Core installation). This version includes the options for administrators to audit client machines that cannot utilize LDAP channel binding tokens via events on Active Directory domain controllers, and includes the capability to enable CBT events 3074 & 3075 with event source Microsoft-Windows-ActiveDirectory_DomainService in the Directory Service event log.
With the release of the November 14, 2023 security updates, the auditing changes added in August 2023 are now available on Windows Server 2022. You do not need to install MSIs or create policies as mentioned in Step 3 of Recommended Actions.
With the release of the January 9, 2024 security updates, the auditing changes added in August 2023 are now available on Windows Server 2019. You do not need to install MSIs or create policies as mentioned in Step 3 of Recommended Actions.

Important The March 10, 2020 and updates in the foreseeable future will not make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers.

Note that LDAP signing Domain controller: LDAP server signing requirements policy already exists in all supported versions of Windows.

Recommended Actions

Microsoft recommends that administrators configure LDAP signing and LDAP channel binding as recommended in Step One of the Executive Summary of this advisory and as described in detail in KB4520412: 2020 and 2023 LDAP channel binding and LDAP signing requirements for Windows.

How to get notified of updates to this advisory

When the March 10, 2020 Windows updates become available, customers will be notified via a revision to this advisory. If you wish to be notified when these update are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

References

See the following Microsoft Knowledge Base articles for detailed guidance on how to enable LDAP channel binding and LDAP signing on Active Directory domain controllers:

KB4520412: 2020 and 2023 LDAP channel binding and LDAP signing requirements for Windows
KB4034879: LDAP channel binding
KB935834: LDAP signing
KB4546509: Frequently asked questions about changes to Lightweight Directory Access Protocol

FAQ

Where can I find further answers to my questions?

For a list of Frequently Asked Questions on LDAP channel binding and LDAP signing on Active Directory Domain Controllers, see KB4546509: Frequently asked questions about changes to Lightweight Directory Access Protocol. See also KB4520412: 2020 and 2023 LDAP channel binding and LDAP signing requirements for Windows.

Exploitability

The following table provides an exploitability assessment for this vulnerability at the time of original publication.

Publicly disclosed: Yes
Exploited: No
Exploitability assessment: Exploitation Less Likely

Acknowledgements

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgements for more information.

Security Updates

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.

Release date Descending

Release date

Product

Platform

Impact

Max Severity

Article

Download

Build Number

Aug 13, 2019

Windows Server 2022 (Server Core installation)

Defense in Depth

None

Aug 13, 2019

Windows Server 2022

Defense in Depth

None

Aug 13, 2019

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Defense in Depth

None

Aug 13, 2019

Windows Server 2008 for 32-bit Systems Service Pack 2

Defense in Depth

None

Aug 13, 2019

Windows RT 8.1

Defense in Depth

None

Aug 13, 2019

Windows Server 2016 (Server Core installation)

Defense in Depth

None

Aug 13, 2019

Windows Server 2016

Defense in Depth

None

Aug 13, 2019

Windows 10 Version 1607 for x64-based Systems

Defense in Depth

None

Aug 13, 2019

Windows 10 Version 1607 for 32-bit Systems

Defense in Depth

None

Aug 13, 2019

Windows Server 2019 (Server Core installation)

Defense in Depth

None

Aug 13, 2019

Windows Server 2019

Defense in Depth

None

Aug 13, 2019

Windows 10 Version 1809 for x64-based Systems

Defense in Depth

None

Aug 13, 2019

Windows 10 Version 1809 for 32-bit Systems

Defense in Depth

None

Aug 13, 2019

Windows Server 2012 R2 (Server Core installation)

Defense in Depth

None

Aug 13, 2019

Windows Server 2012 R2

Defense in Depth

None

Aug 13, 2019

Windows Server 2012 (Server Core installation)

Defense in Depth

None

Aug 13, 2019

Windows Server 2012

Defense in Depth

None

Aug 13, 2019

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Defense in Depth

None

Aug 13, 2019

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Defense in Depth

None

Aug 13, 2019

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Defense in Depth

None

Aug 13, 2019

Windows Server 2008 for x64-based Systems Service Pack 2

Defense in Depth

None

All results loaded

Loaded all 21 rows

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

version

revisionDate

description

4.3

Jan 9, 2024

With the release of the January 9, 2024 security updates, the auditing changes added in August 2023 are now available on Windows Server 2019. You do not need to install MSIs or create policies as mentioned in Step 3 of Recommended Actions.

4.2

Nov 14, 2023

With the release of the November 14, 2023 security updates, the auditing changes added in August 2023 are now available on Windows Server 2022. You do not need to install MSIs or create policies as mentioned in Step 3 of Recommended Actions.

4.1

Oct 24, 2023

On October 17, 2023, Microsoft released Windows Server 2022, 23H2 Edition (Server Core installation). This version includes the options for administrators to audit client machines that cannot utilize LDAP channel binding tokens via events on Active Directory domain controllers, and includes the capability to enable CBT events 3074 & 3075 with event source Microsoft-Windows-ActiveDirectory_DomainService in the Directory Service event log.

4.0

Oct 10, 2023

Microsoft is announcing that the October 10, 2023 updates are available for Windows Server 2022 and Windows Server 2022 (Server Core installation) to enable administrators to audit client machines that cannot use events to utilize LDAP channel binding tokens on Active Directory domain controllers. The updates add the capability to enable CBT events 3074 & 3075 with event source Microsoft-Windows-ActiveDirectory_DomainService in the Directory Service event log.

3.0

Aug 8, 2023

Microsoft is announcing that the August 8, 2023 updates are available for Windows Server 2022 and Windows Server 2022 (Server Core installation) to audit client machines that cannot utilize LDAP channel binding tokens via events on Active Directory domain controllers. The updates add the capability to enable CBT events 3074 & 3075 with event source Microsoft-Windows-ActiveDirectory_DomainService in the Directory Service event log.

2.0

Mar 10, 2020

Microsoft is announcing that the March 10, 2020 security updates are available that add options for administrators to harden the configurations for LDAP channel binding on Active Directory domain controllers. These options are: 1. "Domain controller: LDAP server channel binding token requirements" group policy. 2. CBT signing events 3039, 3040, and 3041 with event source Microsoft-Windows-ActiveDirectory_DomainService in the Directory Service event log. Note that these March 10, 2020 updates and updates in the foreseeable future will not make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers.

1.4

Feb 28, 2020

The following revisions have been made: 1. Clarified the actions customers need to take to harden the configurations for LDAP channel binding and LDAP signing on Active Directory Domain Controllers. 2. In the References section, added a link to KB4546509: https://support.microsoft.com/en-us/help/4546509 - Frequently asked questions about changes to Lightweight Directory Access Protocol. 3. Updated the FAQ section to direct customers to KB4546509.

1.3

Feb 4, 2020

In the Recommended Actions section, added information that details what will be included in the March 2020 updates to enable hardening LDAP Channel Binding and LDAP Signing. Included information about a future monthly update that will LDAP signing and channel binding on domain controllers configured with default values for those settings. These are informational changes only.

1.2

Dec 17, 2019

In the Recommended Actions section, updated the opening sentence to indicate that the Windows update will be available in March 2020.

1.1

Sep 9, 2019

Revised Recommended Actions section to provide customers with more detailed information about actions to take to make LDAP channel binding and LDAP signing on Active Directory Domain Controllers more secure.

How satisfied are you with the MSRC Security Update Guide?