Avatar of Paul Walsh
Paul Walsh
 asked on

Windows March update ldap hardening.

Hi all,

Ahead of the Microsoft update in March forcing ldap hardening, I have a few questions

1.Is the update actually making any direct changes (enforcing the settings), or is it simply making the necessary changes but the actual applying of the settings will happen later in the year in another update?

2. We are currently in the process of moving to ldaps however I have read that this may be not be necessary and that we can force the ldap signing settings via gpo and this will suffice (along with channel binding). Is this correct?

3. If we wanted to delay the changes I am assuming I simply don’t install the march update until we are ready on the DC’s. What about all the windows clients in the network. Will these simply carry on working even if the update is applied to them?

Cheers,
Paul
Windows Server 2008Windows 10AzureWindows Server 2016

Avatar of undefined
Last Comment
Adam Brown

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Adam Brown

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Paul Walsh

ASKER
Hi,

Cool. Just to clarify then, if we haven’t setup an internal CA before the update, clients will still be ok even after the update has been applied to them ( they will use Kerberos). If we don’t install the update on the DC, third party/ external devices will be ok.

So my thinking is get CA installed (2 tier) and install certificates onto dc.

Then enable ldaps and move external devices over to ldaps.


once done then install the March update.

Is my thinking correct?

Cheers,
Paul
Adam Brown

That is a good action plan. Should work well. 2 tier CA may not be necessary (depends heavily on your compliance needs and physical security on the servers). Best practice says 2 tier, but best practices are recommendations only and don't apply to all situations. 

This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23