In March Microsoft is releasing a security patch to enforce LDAP channel binding and also LDAP request signing.
Microsoft articles and links shown below. These LDAP channel binding and signing can be achieved now, but Microsoft is to enforce these setting in a security patch, set for release in March 2020.
Microsoft security Patch
Microsoft LDAP signing article
For SecurEnvoy it is only our LDAP BIND operation that is at affected, Radius and HTTP communications are unaffected (e.g. securectrl)
SecurEnvoy have successfully tested the above with our current On-Premise 9.3.
Our default stance and also as a security best practice is to use a certificate, so that LDAPS is implemented. As long as a certificate is implemented, this patch has no adverse – affect. As channel bonding and signing is already supported.
Please see video instructions: https://vimeo.com/395401854
See image below from Domain Settings within the SecurEnvoy Administration console. Navigate to the two LDAP servers (if used), Enable the use SSL/TLS tick box, ensure a fully qualified Domain Name is used, matching that which is used in the Certificate.
If required customers can turn off the effect of the Microsoft Security patch:
Microsoft Channel Binding article
The below instructions are a subset from the above link.
To help make LDAP authentication over SSL\TLS more secure, administrators can configure the following registry settings:
- Path for Active Directory Domain Services (AD DS) domain controllers: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
- Path for Active Directory Lightweight Directory Services (AD LDS) servers: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<LDS instance name>\Parameters
- DWORD: LdapEnforceChannelBinding
- DWORD value: 0 indicates disabled. No channel binding validation is performed. This is the behavior of all servers that have not been updated.
- DWORD value: 1 indicates enabled, when supported. All clients that are running on a version of Windows that has been updated to support channel binding tokens (CBT) must provide channel binding information to the server. Clients that are running a version of Windows that has not been updated to support CBT do not have to do so. This is an intermediate option that allows for application compatibility.
- DWORD value: 2 indicates enabled, always. All clients must provide channel binding information. The server rejects authentication requests from clients that do not do so.