active directory, vulnerability, LDAPS, windows server
we have got below vulnerabilities on our windows domain controller
Microsoft Guidance for Enabling LDAP Signing Missing (ADV190023)
impact: A set of unsafe default configurations for LDAP channel binding and LDAP signing exist on Active Directory Domain Controllers that let LDAP clients communicate with them without enforcing LDAP channel binding and LDAP signing. This can open Active directory domain controllers to elevation of privilege vulnerabilities.<P>
i was told by earlier expert david johnson to refer:
but my scan result referred me :
https://msrc.microsoft.com/update-guide/vulnerability/ADV190023
not sure which steps to follow:
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
we found that when we used ldp.exe , secure LDAP connection was not available.
tried to install the certificate manually , we thought that these DC'S DC’s would get these certs Auto pushed from the Internal PKI… but it didn't so we manually installed.
The certificate was imported to local machine store also Root and Intermediate certificates have been placed at right container.
LDP validation has been successful using FQDN, but still the vulnerability exists which is mentioned in this case(Microsoft Guidance for Enabling LDAP Signing Missing (ADV190023)
is there anything missing, just for your information this is 2008 dc and a legacy domain which will be decommissioned.
tried to install the certificate manually , we thought that these DC'S DC’s would get these certs Auto pushed from the Internal PKI… but it didn't so we manually installed.
The certificate was imported to local machine store also Root and Intermediate certificates have been placed at right container.
LDP validation has been successful using FQDN, but still the vulnerability exists which is mentioned in this case(Microsoft Guidance for Enabling LDAP Signing Missing (ADV190023)
is there anything missing, just for your information this is 2008 dc and a legacy domain which will be decommissioned.
As indicated before, LDAP signing does not require certificate.
Can you indicate us what is the configuration on the domain controller with GPEDIT.MSC?
Particularly the lines : "LDAP signing requirement for domain controller" and "Digitally encrypt or sign secure channel data (always)".
Can you indicate us what is the configuration on the domain controller with GPEDIT.MSC?
Particularly the lines : "LDAP signing requirement for domain controller" and "Digitally encrypt or sign secure channel data (always)".
ASKER
yes they are exactly the same as per screenshot
ASKER
i was referring : https://support.microsoft.com/en-us/topic/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows-ef185fb8-00f7-167d-744c-f299a66fc00a
do we nend to change this?
but then
What issues do you foresee with enforcing LDAP signing?
LDAP Clients that do not enable or support signing will not connect.
LDAP Simple Binds over non-TLS connections will not work if LDAP signing is required.
Connections over port 389 won’t work and all traffic would need to be diverted through 636 only?
do we nend to change this?
- KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
| Group Policy Setting | Registry Setting |
| None | 1 |
| Require Signing | 2 |
but then
What issues do you foresee with enforcing LDAP signing?
LDAP Clients that do not enable or support signing will not connect.
LDAP Simple Binds over non-TLS connections will not work if LDAP signing is required.
Connections over port 389 won’t work and all traffic would need to be diverted through 636 only?
ASKER
under this
do i need to create
- KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
do i need to create
| Require Signing | 2 |
well...both
the first compliments the second
the first says to configure LDAP signing to Require Signing in group policy and the second shows how to do it in group policy