- Windows Server 2016
- Windows Server 2012
- Windows Server 2008
- Active Directory
- Windows 10
- Windows
- Azure
Windows March update ldap hardening.
Hi all,
Ahead of the Microsoft update in March forcing ldap hardening, I have a few questions
1.Is the update actually making any direct changes (enforcing the settings), or is it simply making the necessary changes but the actual applying of the settings will happen later in the year in another update?
2. We are currently in the process of moving to ldaps however I have read that this may be not be necessary and that we can force the ldap signing settings via gpo and this will suffice (along with channel binding). Is this correct?
3. If we wanted to delay the changes I am assuming I simply don’t install the march update until we are ready on the DC’s. What about all the windows clients in the network. Will these simply carry on working even if the update is applied to them?
Cheers,
Paul
Ahead of the Microsoft update in March forcing ldap hardening, I have a few questions
1.Is the update actually making any direct changes (enforcing the settings), or is it simply making the necessary changes but the actual applying of the settings will happen later in the year in another update?
2. We are currently in the process of moving to ldaps however I have read that this may be not be necessary and that we can force the ldap signing settings via gpo and this will suffice (along with channel binding). Is this correct?
3. If we wanted to delay the changes I am assuming I simply don’t install the march update until we are ready on the DC’s. What about all the windows clients in the network. Will these simply carry on working even if the update is applied to them?
Cheers,
Paul
1. It's enforcing. Unencrypted/basic authentication will no longer work. You can still do unencrypted LDAP, but you have to use kerberos to do it.
2. Not 100% sure on this one, but I would definitely work toward getting off unsecured auth methods.
3. Yes, delaying is the best option until you can get things ready. Note that as long as there is a valid certificate on the server (one issued by an Internal CA that the whole domain trusts), all windows domain clients will use LDAPS to connect by default, so as long as LDAPS is *possible* on all DCs, your clients will handle the change without issues (also the clients will use kerberos to authenticate to LDAP, so they aren't impacted). Usually just the external systems that use LDAP binding will be affected.
Hi,
Cool. Just to clarify then, if we haven’t setup an internal CA before the update, clients will still be ok even after the update has been applied to them ( they will use Kerberos). If we don’t install the update on the DC, third party/ external devices will be ok.
So my thinking is get CA installed (2 tier) and install certificates onto dc.
Then enable ldaps and move external devices over to ldaps.
once done then install the March update.
Is my thinking correct?
Cheers,
Paul
Cool. Just to clarify then, if we haven’t setup an internal CA before the update, clients will still be ok even after the update has been applied to them ( they will use Kerberos). If we don’t install the update on the DC, third party/ external devices will be ok.
So my thinking is get CA installed (2 tier) and install certificates onto dc.
Then enable ldaps and move external devices over to ldaps.
once done then install the March update.
Is my thinking correct?
Cheers,
Paul
Explore More ContentExplore courses, solutions, and other research materials related to this topic.
-
![]()
received a Solution
local certificate authority expired on windows server 2012R2, renewed, but still not working -
![]()
wrote an Article
![]()
Windows 10 Search Bar Results Shows Black Square
-
![]()
created a Video
![]()
Windows Insider Preview 19592
-
Explore Cloud Class® ![]()
Certification: MCSE Microsoft Certified Systems Engineer - Securing Windows Server 2016
Premium Content
You need an Expert Office subscription to comment.Start Free Trial