2020 LDAP channel binding and LDAP signing requirements for Windows

LDAP channel binding and LDAP signing provide ways to increase the security for communications between LDAP clients and Active Directory domain controllers. A set of unsafe default configurations for LDAP channel binding and LDAP signing exist on Active Directory domain controllers that let LDAP clients communicate with them without enforcing LDAP channel binding and LDAP signing. This can open Active Directory domain controllers to an elevation of privilege vulnerability.

This vulnerability could allow a man-in-the-middle attacker to successfully forward an authentication request to a Microsoft domain server which has not been configured to require channel binding, signing, or sealing on incoming connections.

Microsoft recommends administrators make the hardening changes described in ADV190023.

On March 10, 2020 we are addressing this vulnerability by providing the following options for administrators to harden the configurations for LDAP channel binding on Active Directory domain controllers:

• Domain controller: LDAP server channel binding token requirements Group Policy.
• Channel Binding Tokens (CBT) signing events 3039, 3040, and 3041 with event sender Microsoft-Windows-Active Directory_DomainService in the Directory Service event log.

Important: The March 10, 2020 updates, and updates in the foreseeable future, will not change LDAP signing or LDAP channel binding default policies or their registry equivalent on new or existing Active Directory domain controllers.

The LDAP signing Domain controller: LDAP server signing requirements policy already exists in all supported versions of Windows.

The security of Active Directory domain controllers can be significantly improved by configuring the server to reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) or to reject LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. SASLs may include protocols such as the Negotiate, Kerberos, NTLM, and Digest protocols.

Unsigned network traffic is susceptible to replay attacks in which an intruder intercepts the authentication attempt and the issuance of a ticket. The intruder can reuse the ticket to impersonate the legitimate user. Additionally, unsigned network traffic is susceptible to man-in-the-middle (MiTM) attacks in which an intruder captures packets between the client and the server, changes the packets, and then forward them to the server. If this occurs on an Active Directory Domain Controller, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client. LDAPS uses its own distinct network port to connect clients and servers. The default port for LDAP is port 389, but LDAPS uses port 636 and establishes SSL/TLS upon connecting with a client.

Channel binding tokens help make LDAP authentication over SSL/TLS more secure against man-in-the-middle attacks.

Important The March 10, 2020 updates do not change LDAP signing or LDAP channel binding default policies or their registry equivalent on new or existing Active Directory domain controllers.

Windows updates to be released on March 10, 2020 add the following features:

• New events are logged in the Event Viewer related to LDAP channel binding. See Table 1 and Table 2 for details of these events.  
• A new Domain controller: LDAP server channel binding token requirements Group Policy to configure LDAP channel binding on supported devices.

The mapping between LDAP Signing Policy settings and registry settings are included as follows:

• Policy Setting: "Domain controller: LDAP server signing requirements"
• Registry Setting: LDAPServerIntegrity
• DataType: DWORD
• Registry Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
   

The mapping between LDAP Channel Binding Policy settings and registry settings are included as follows:

• Policy Setting: "Domain controller: LDAP server channel binding token requirements"
• Registry Setting: LdapEnforceChannelBinding
• DataType: DWORD
• Registry Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters  
   

Table 1: LDAP signing events

Table 2: CBT events

To set the logging level in the registry, use a command that resembles the following:

Reg Add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2

For more information how to configure Active Directory diagnostic event logging, see the following article in the Microsoft Knowledge Base:

314980 How to configure Active Directory and LDS diagnostic event logging

We strongly advise customers to take the following steps at the earliest opportunity:

1. Install the March 10, 2020 Windows updates on domain controller (DC) role computers when the updates are released.
2. Enable LDAP events diagnostic logging to 2 or higher.
3. Monitor Directory services event log on all DC role computers filtered for:
   • LDAP Signing failure event 2889 listed in Table 1.
   • LDAP Channel Binding failure event 3039 in Table 2.
     
     Note Event 3039 can only be generated when Channel Binding is set to When Supported or Always.
4. Identify the make, model, and type of device for each IP address cited by event 2889 as making unsigned LDAP calls or by 3039 events as not using LDAP Channel Binding.

Group device types into 1 of 3 categories:

1. Appliance or router
   • Contact the device provider.
2. Device that does not run on a Windows operating system
   • Verify that both LDAP channel binding and LDAP signing are supported on the operating system and then application by working with the operating system and application provider.
3. Device that does run on a Windows operating system
   • LDAP signing is available to use by all applications on all supported versions of Windows. Verify that your application or service is using LDAP signing.
   • LDAP channel binding requires that all Windows devices have CVE-2017-8563 installed. Verify that your application or service is using LDAP channel binding.

Use local, remote, generic, or device-specific tracing tools including network captures, process manager, or debug traces to determine whether the core operating system, a service, or an application is performing unsigned LDAP binds or is not using CBT.

Use Windows Task Manager or equivalent to map the process ID to process, service, and application names.

The March 10, 2020 updates will provide controls for administrators to harden the configurations for LDAP channel binding and LDAP signing on Active Directory domain controllers. We strongly advise customers to take the actions recommended in this article at the earliest opportunity.

For answers to frequently asked questions about LDAP channel binding and LDAP signing on Active Directory domain controllers, see Frequently asked questions about changes to Lightweight Directory Access Protocol.