Preventing LDAP apocalypse in March 2020 - LDAP signing requirements

[Kevin Beaumont 111]

In March this year, Microsoft plan to change LDAP (an authentication system) behaviour so you are required to make connections which is signed and basically secure.  If you have systems which authenticate with Active Directory in an insecure way, they will break post update.

More info here:

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

This is a big change which may have production impacts, i.e. systems may break.

How to identify systems which will break

Go to your domain controllers and look for Event ID 2887:

Product:	Windows Operating System
ID:	2887
Source:	Microsoft-Windows-ActiveDirectory_DomainService

Message:

During the previous 24 hour period, some clients attempted to perform LDAP binds that were either: (1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or (2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection

If you see this error, you need to take action as something will break.

You can manually enable LDAP interface event logging, and afterwards Event ID 2889 will be logged in same location with the IP addresses of clients using insecure LDAP.

On each DC:

# Enable Simple LDAP Bind Logging 
Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2

This will get you the IP address of systems using insecure LDAP.. the next issue is to get them to... not do that.  Over to you!

[Alex Montague 3]

Thanks for this. Raised the flag 2-3 months back when ADV190023  first came out. I was wondering how could we go about investigating which appliances/systems would break after this update goes through, and the default settings gets changed. Looks like I'll be working on it right away.

[Alex Montague 3]

New information has come to light: apparently, the March 2020 update will NOT change the default settings for LDAP connections, but another monthly security update will later this year.

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-march-update/ba-p/921536

***NEW NOTE***

ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

 

Windows Updates in March 2020 add new audit events, additional logging, and a remapping of Group Policy values that will enable hardening LDAP Channel Binding and LDAP Signing. The March 2020 updates do not make changes to LDAP signing or channel binding policies or their registry equivalent on new or existing domain controllers.

A further future monthly update, anticipated for release the second half of calendar year 2020, will enable LDAP signing and channel binding on domain controllers configured with default values for those settings.

Administrators can prevent the feature update from making those change either by enabling LDAP signing and channel binding NOW or by configuring non-default values prior to installing updates that enable LDAP signing and channel binding by default.

[Kevin Beaumont 111]

Perfect - thank you very much.  So it is delayed now, and they're add opt out registry values for later.

(If anybody is confused, Microsoft have multiple pieces of conflicting info on this - e.g. this one is still online:

 

 

)

[Kevin Beaumont 111]

The documentation is in line now and up to date: