MicrosoftMicrosoftFor those of us who have things (like Macs) that prevent us from fully enabling CBT, it should be said that in order for someone to actually take advantage of this particular issue, they would have to MITM (Man-in-the-middle) your system, meaning place a device between your domain controller and the endpoint doing the authentication or install some sort of software on the endpoint. Also, if you have certificate validation enabled (which the Macs require), the attacker would not be able to impersonate the DC, so the connection would fail. If they somehow had access to your DC's certs, you probably have bigger issues than this.
I am going to be satisfied (at least for the time being) with getting all of the traffic encrypted (either via SSL or SASL and setting the server to 'Require') and setting the CBT value set to 1 (vs the full '2'). This ensures that all modern Windows OS's will be secure as well.
