MicrosoftMicrosoft
MicrosoftAdding some other information
Important to point out:
LDAP over TLS/SSL communication are already signed as TLS would detect any modification of the payload as it can't be decrypted. The behavior for LDAP simple binds and LDAP simple binds through SSL are as follows:
Separate registry key settings exist for LDAP Signing and Channel Binding. Setting registry values to zero reverts the OS back to the previous defaults:
- LdapServerIntegrity = 0
- LdapEnforceChannelBinding = 0
The values can also be configured via Security Policies set via Group Policy (e.g. to automatically distribute the settings to all DCs):
- "Domain controller: LDAP server signing requirements"
- "Domain controller: LDAP server channel binding token requirements" (will only show up in the UI after installing the upcoming fix)
CBT setting will be introduced by the update
You can separate the settings, having CBT=1 and Signing=0. They are two separate settings that you can configure via registry or GPO
Also if you download the latest SCT 1.0 (security compliance toolkit) https://www.microsoft.com/en-us/download/details.aspx?id=55319 you will find template "SecGuide.admx" and language file "SecGuide.adml" that you can import in your policies (Central Store or C:\Windows\PolicyDefinitions) and from which you can manage Extended Protection for LDAP.....(CBT)
Security baseline (FINAL) for Windows 10 v1909 and Windows Server v1909:
https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/Security-baseline-FINAL-for-Windows-10-v1909-and-Windows-Server/ba-p/1023093
Also one of the things to be aware of is that "Require Signing" may have an impact on third-party systems if you don't configure them correctly. Some examples that I'm thinking of:
- Printers
- Storage Area Networks
- Third party OSs
- Appliances
- other Hardware that interacts with DCs
- etc etc
Regards
Alan @ PFE