LDAP Channel Binding and LDAP Signing Requirements - March 2020 update final release

Published Nov 04 2019 06:26 AM 278K Views
Microsoft

Hi All, Alan here again, this time trying to give some details on these two settings that are creating quite some confusion.

 

ATTENTION: before you continue reading I must emphasize that the MARCH 2020 update and FUTURE UPDATES *****WILL NOT MAKE ANY CHANGE*****. This means that we leave it to Customer to decide when to enforce these settings, now and in the future.

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirem...

 

Our recommendation is to enforce both of them and not leave your environment at risk

 

Another important article that I suggest to read:

LDAP session security settings and requirements after ADV190023 is installed

 https://support.microsoft.com/en-us/help/4563239/ldap-session-security-settings-and-requirements-aft...

 

I have to point out that at first these changes were scheduled to become active with upcoming March 2020 update, but some improvements were made and now March 2020 update will only add some new functionalities and make no changes, giving Customers the opportunity to choose.

 

Let’s start saying that since Windows Server 2008 we have Event IDs related to unsigned LDAP binds like 2886, 2887, 2888 and 2889 if you enable auditing which will detail IP Address and Account that made the request

 

Also the new March 2020 update will add support for new Event IDs related to LDAP Channel Bindings. After you install the update you will have 3040 and 3041 triggered every 24 hours by default and 3039 if you enable auditing which will detail IP Address and Account that made the request  

 

 

This information is preliminary and is subject to revision.
This article is a living document, written over time and is subject to change. When guidance presented in this article is in direct conflict with official documentation, one must defer to official documentation.

 

This is the link to the public Security Advisory

ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

 

This is the link to the public KB:

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirem...

 

March 2020 update links:

Windows 10 v1903 and Windows 10 v19094540673 
Windows 10 v1809: 4538461 
Windows 10 v1803: 4540689
Windows 10 v1709: 4540681

Windows Server 2019: 4538461 
Windows Server 2016: 4540670
Windows Server v1903 and Windows Server v1909: 4540673 
Windows Server v1803: 4540689

Windows 8.1 and Windows Server 2012 R2 Monthly Rollup: 4541509 
Windows 8.1 and Windows Server 2012 R2 Security Only: 4541505
Windows Server 2012 Monthly Rollup: 4541510 
Windows Server 2012 Security Only: 4540694

 

Also I would like to point out this great article that details how this other vendor supports these two features (Red Hat source)
Impact of Microsoft Security Advisory ADV190023 | LDAP Channel Binding and LDAP Signing on RHEL and AD integrationhttps://access.redhat.com/articles/4661861

 

NEW AUDITING capabilities coming with March 2020 update

March 2020 update will add new Auditing capabilities into group policies related to LDAP Channel Binding and LDAP Signing (this one has been around for a while) 

 

  • Through new Group Policy setting you can configure LDAP Channel Binding and LDAP Signing "auditing"

NOTE: Auditing can also be enabled via Registry, on each Domain Controller

Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2  

 

Once you have configured auditing, the system will start logging the following Event IDs (Directory services log):

 

For LDAP Signing 

Event ID 2889 (needs auditing enabled)

 

Triggered when a client does not use signing after authentication on sessions on the LDAP port. 

 

***Event 2889 will be triggered when there is no encryption and the client making the bind request does not support LDAP Channel Binding. In all bind requests using SSL/TLS, the LDAP channel binding token is required; if it is not provided, the request will be rejected. 

 

This is the Event ID you want to check to understand which IP Addresses and Accounts are making these requests.

 

Once you open Event ID 2889 in Details you will have

Client IP address: “Value”
Identity the client attempted to authenticate as: “Value” 

 

2889 The security of these domain controllers can be improved by configuring them to reject simple LDAP bind requests and other bind requests that do not include LDAP signing. Triggered when a client does not use signing for binds on sessions on port 389. Minimum Logging Level: 2 or higher

 

You will also find these other events related to LDAP (by default with no auditing enabled): 

 

2886 (already on by default and logged every 24 hours)

Telling us that our DCs are not requiring LDAP signing 

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd... 

  

2887 (already on by default and logged every 24 hours)

Telling us how many such binds occurred 

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd... 

The suggested path to resolve this error is do modify the registry of the DC to allow it log those failures. 

 

2888 (already on by default and logged every 24 hours)

If the directory server is configured to reject unsigned SASL LDAP binds or LDAP simple binds over a non-SSL/TLS connection, the directory server will log a summary event 2888 one time every 24 hours when such bind attempts occur. 

 

The mapping between LDAP Signing Policy settings and registry settings are included as follows:

  • Policy Setting: "Domain controller: LDAP server signing requirements"
  • Registry Setting: LDAPServerIntegrity
  • DataType: DWORD
  • Registry Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Group Policy Setting Registry Setting
None 1
Require Signing 2

 

For LDAP Channel Binding 

Event ID 3039 (needs Auditing enabled)

 

Triggered when a client attempts to bind without valid CBT

 

This is the Event ID you want to check in order to understand which IP Addresses and Accounts are making these requests.

 

***Triggered only on “When Supported” and “Always” when a client fails to bind due to invalid CBT  

 

3039 The following client performed an LDAP bind over SSL/TLS and failed the LDAP channel binding token validation. Triggered when a client attempts to bind without valid CBT. Minimum logging level: 2

 

You will also find these other events related to LDAP (by default with no auditing enabled): 

 

3040 Triggered every 24 hours by default when CBT group policy is set to "Never" and at least one unprotected bind was completed​ 

 

3041 Triggered every 24 hours by default on startup or start of service if the CBT group policy is set to "Never"​

 

The mapping between LDAP Channel Binding Policy settings and registry settings are included as follows:

  • Policy Setting: "Domain controller: LDAP server channel binding token requirements"
  • Registry Setting: LdapEnforceChannelBinding
  • DataType: DWORD
  • Registry Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters  
Group Policy Setting Registry Setting
Never 0
When Supported 1
Always 2

 

 

Recommended ACTIONS 

For IT Adminstrators we recommend to Enable Auditing and fix issues in order to enable both of these enforcements 

 

Support for LDAP Signing is common among non-Windows OS versions

Support for LDAP Channel Binding is rare among non-Windows operating systems. 

 

  1. Find out which Appliances / Services are making these requests and try to find out if they support LDAP Signing and LDAP Channel Binding. Ask each specific "vendor" for detailed information and guidelines
  2. Find out which Non-Windows OSs and which Applications running on them are making these requests. Check if they support and can be configured with LDAP Signing and/or LDAP Channel Binding
  3. Find out which Windows OSs and which Applications running on them are making these requests. 
  4. All versions of Windows down to XP support LDAP signing
  5. All versions of Windows after XP support LDAP signing. 

Windows XP does NOT support LDAP channel binding and would fail when LDAP channel binding is configured  with a value of “always” but would remain interoperable with DCs configured with more relaxed LDAP channel binding setting of “when supported”.  

  1. Configure recommended values for Signing and CBT
    • LDAPServerIntegrity = 2
    • LdapEnforceChannelBinding = 1

NOTE: Once you fix all the unsecure connections from Applications/Applicances/Devices/OSs we suggest to enforce these settings to ensure your environment is secured

Enable LDAP Signing and LDAP Channel Binding

LDAPServerIntegrity = 2

LdapEnforceChannelBinding = 2

 

DETAILED Information about these settings

The concept of channel binding allows applications to establish that the two end-points of a secure channel at one network layer are the same as at a higher layer by binding authentication at the higher
layer to the channel at the lower layer. https://tools.ietf.org/html/rfc5929 and https://tools.ietf.org/html/rfc5056

 

LDAP Channel Binding

March 2020 update will add the following: 

 

  • Adds support for a new LDAP Channel Binding policy "Domain Controller: LDAP server channel binding token requirements"
  • Adds support for 3039, 3040, 3041 events logged in the Directory Service event log to identify LDAP binds that don't use CBT
  • Allows LDAP Signing and Channel Binding to be independently "relaxed" or "hardened" at any time
  • DOES NOT modify the policy setting or the registry equivalent for “Domain controller: LDAP server channel binding token requirements” in any way

 

Very important NOTE: You need to have this CVE-2017-8563 installed on your clients as a prerequisite before enabling LDAP Channel Binding and LDAP Integrity on DCs  

ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

 

CVE-2017-8563 | Windows Elevation of Privilege Vulnerability (REQUIRED) 

An elevation of privilege vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully forward an authentication request to a Windows LDAP server, such as a system running Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS), which has been configured to require signing or sealing on incoming connections. 

The update addresses this vulnerability by incorporating support for Extended Protection for Authentication security feature, which allows the LDAP server to detect and block such forwarded authentication requests once enabled.  

Main thing to point out is that March 2020 update WILL NOT make any change nor any future update. 

For LDAP Channel Binding we recommend configure the most compatible setting which equals to the following: 

  • LDAP Channel Binding = 1 

AD - HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters 

ADLDS - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<LDS instance name>\Parameters 

 

value:1  = indicates "enabled, when supported". All clients that are running on a version of Windows that has been updated to support channel binding tokens (CBT) must provide channel binding information to the server. Clients that are running a version of Windows that has not been updated to support CBT do not have to do so. This is an intermediate option that allows for application compatibility. 

 

Possible CBT values:

  • DWORD value: 0 indicates disabled. No channel binding validation is performed. This is the behavior of all servers that have not been updated.
  • DWORD value: 1 indicates enabled, when supported. All clients that are running on a version of Windows that has been updated to support channel binding tokens (CBT) must provide channel binding information to the server. Clients that are running a version of Windows that has not been updated to support CBT do not have to do so. This is an intermediate option that allows for application compatibility.
  • DWORD value: 2 indicates enabled, always. All clients must provide channel binding information. The server rejects authentication requests from clients that do not do so.

 

Important Notes  

- Before you enable this setting on a Domain Controller, clients must install the security update that is described in CVE-2017-8563. Otherwise, compatibility issues may arise, and LDAP authentication requests over SSL/TLS that previously worked may no longer work. By default, this setting is disabled. 

- The LdapEnforceChannelBindings registry entry must be explicitly created.  

- LDAP server responds dynamically to changes to this registry entry. Therefore, you do not have to restart the computer after you apply the registry change. 

 
LDAP Channel Binding: To maximize compatibility with older operating system versions (Windows Server 2008 and earlier versions), we recommend that you enable this setting with a value of 1. 
 
To explicitly disable the setting, set the LdapEnforceChannelBinding entry to 0 (zero). 

Windows Server 2008 and older systems require that Microsoft Security Advisory 973811, available in “KB 968389 Extended Protection for Authentication”, be installed before installing CVE-2017-8563. 

If you install CVE-2017-8563 without KB 968389 on a Domain controller or AD LDS instance, all LDAPS connections will fail with LDAP error 81 - LDAP_SERVER_DOWN. In addition, we strongly recommended that you also review and install the fixes documented in the Known Issues section of KB 968389.  

 

LDAP Signing

  • LDAP Server Integrity (signing) = (March 2020 update will NOT change this setting)

https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008 

I want to note that this article shows two sections related to server and client, which need to be configured: 

- How to set the server LDAP signing requirement 

- How to set the client LDAP signing requirement through a domain Group Policy Object  

 

If we want to force these settings you should configure these settings :

  1. Enable LdapEnforceChannelBinding = 1  (must have CVE-2017-8563)
  2. Enable LDAP Server Signing  
    • DCs = policy "Domain controller: LDAP server signing requirements" = Require Signing 
    • Servers/Clients = policy "Network security: LDAP client signing requirements = Require Signing 

 

Summarizing 

Summarizing this long article we can state the following: 

  1. AUDIT - Directory Services Log is our friend, find out which machine/account is making these unsecure connections:
    • Event IDs 2889 for LDAP Signing
    • Event IDs 3039 for LDAP Channel Binging
  2. AUDIT - Appliances/Devices/Applications: find out if they support Signing and Channel Binding 
  3. Fix issues and Enforce these settings through GPO "manually"
  4. On Clients/Servers we need to have as a prerequisite CVE-2017-8563 “Extended Protection for Authentication” before we enable LDAP CBT and LDAP Signing
  5. March update will not make any change to signing or channel binding

 

Hope this helps a little more understanding what these settings are all about. Remember that the main thing is to Audit and make a list of Systems/Accounts/Devices/Appliances/Applications, that are making these unsecure binds.

Fix issues and make your environment safer. The decision is up to you!!

 

 

Regards to All 

 

Alan @ PFE

224 Comments
Version history
Last update:
‎Sep 08 2020 04:58 AM
Updated by: