RI
Microsoft published a security advisory providing guidance to increase the security for communications between LDAP clients and Active Directory domain controllers. The document introduced the use of LDAP channel binding and LDAP signing.
"Microsoft recommends administrators make the hardening changes described in ADV190023 because when using default settings, an elevation of privilege vulnerability exists in Microsoft Windows that could allow a man-in-the-middle attacker to successfully forward an authentication request to a Windows LDAP server, such as a system running AD DS or AD LDS, which has not configured to require signing or sealing on incoming connections. The security of a directory server can be significantly improved by configuring the server to reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) or to reject LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. SASLs may include protocols such as the Negotiate, Kerberos, NTLM, and Digest protocols. Unsigned network traffic is susceptible to replay attacks in which an intruder intercepts the authentication attempt and the issuance of a ticket. The intruder can reuse the ticket to impersonate the legitimate user. Additionally, unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures packets between the client and the server, changes the packets, and then forwards them to the server. If this occurs on an LDAP server, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client."
Cisco strongly advises customers to enable LDAP channel binding and LDAP signing to increase the security of their Windows LDAP implementations. A Windows Update will be released by Microsoft in March 2020 for all supported Windows platforms and will enable LDAP channel binding and LDAP signing on Active Directory servers by default.
Customers can also subscribe to the Cisco Talos blog to obtain more information about industry vulnerability mitigations and protections.
https://community.cisco.com/t5/security-documents/enhancing-windows-ldap-security-by-enabling-ldap-channel-binding/ta-p/4028596
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows
"Microsoft recommends administrators make the hardening changes described in ADV190023 because when using default settings, an elevation of privilege vulnerability exists in Microsoft Windows that could allow a man-in-the-middle attacker to successfully forward an authentication request to a Windows LDAP server, such as a system running AD DS or AD LDS, which has not configured to require signing or sealing on incoming connections. The security of a directory server can be significantly improved by configuring the server to reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) or to reject LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. SASLs may include protocols such as the Negotiate, Kerberos, NTLM, and Digest protocols. Unsigned network traffic is susceptible to replay attacks in which an intruder intercepts the authentication attempt and the issuance of a ticket. The intruder can reuse the ticket to impersonate the legitimate user. Additionally, unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures packets between the client and the server, changes the packets, and then forwards them to the server. If this occurs on an LDAP server, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client."
Cisco strongly advises customers to enable LDAP channel binding and LDAP signing to increase the security of their Windows LDAP implementations. A Windows Update will be released by Microsoft in March 2020 for all supported Windows platforms and will enable LDAP channel binding and LDAP signing on Active Directory servers by default.
Customers can also subscribe to the Cisco Talos blog to obtain more information about industry vulnerability mitigations and protections.
https://community.cisco.com/t5/security-documents/enhancing-windows-ldap-security-by-enabling-ldap-channel-binding/ta-p/4028596
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows
