Understanding LDAP Channel Binding and LDAP Signing Requirements

By default, Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) allow clients to communicate with them without enforcing LDAP channel binding and LDAP signing. Without LDAP channel binding and LDAP signing being enforced, the communication between AD DS/AD LDS and a client are vulnerable to replay attacks and man-in-the-middle attacks that can lead to an elevation of privilege. Microsoft is releasing a security update in March 2020 to add additional audit events, logging and a remapping of Group Policy values to help organizations identify and address insecure LDAP communications.

To prepare for the upcoming March 2020 security update, let’s dive deeper into LDAP channel binding and LDAP signing. We will also discuss the recommended next steps for getting started on addressing and resolving insecure LDAP communications.

What is LDAP Channel Binding?

Channel binding is the act of binding the transport layer and application layer together. In the case of LDAP channel binding, the TLS tunnel and the LDAP application layer are being tied together. When these two layers are tied together it creates a unique fingerprint for the LDAP communication. Any interception of the LDAP communications cannot be re-used as this would require establishing a new TLS tunnel which would invalidate the LDAP communication’s unique fingerprint. The LDAP channel binding registry “LdapEnforceChannelBinding” has the following available settings:

  • (Default) 0 – disabled, no channel binding validation is performed on the domain controllers.
  • 1 – enabled when supported, channel binding is required for windows versions that have been updated to support channel binding tokens (CBT). This allows for compatibility for clients not running a windows version that has been updated to support CBT.
  • 2 – enabled always, channel binding information is required by all client communication with the domain controllers. Clients that do not provide channel binding information will be rejected.

What is LDAP Signing?

LDAP signing is the digital signing of LDAP traffic by the source. The digital signing of LDAP traffic guarantees the authenticity and integrity of the contents of the LDAP traffic has not been altered in transit and allows the receiving party to verify the origin of the LDAP traffic. The LDAP signing configuration can be done by using specific group policies or by using registry keys. It is important to note that LDAP signing must be configured on both the domain controllers and clients:

  • Group Policies
    • Domain controller: LDAP server signing requirements
      • Not Defined – LDAP signing not required
      • None – LDAP signing not required
      • Required – LDAP signing required
    • Network security: LDAP client signing requirements
      • Not Defined – LDAP signing not required
      • None – LDAP signing not required
      • Required – LDAP signing required
    • Registry Keys
      • LDAPServerIntegrity on DCs and Server/Client
        • [NO VALUE] Not Defined – LDAP signing not required
        • [0] OFF – LDAP signing not required
        • [1] None – LDAP signing not required
        • [2] Required – LDAP signing required

What are the recommended next steps?

Below are high-level steps to get your organization started on address insecure LDAP communications:

  1. Ensure that all audit logs for LDAP Signing and LDAP Channel Binding are enabled. The below audit logs should be reviewed to identify clients that are making insecure LDAP calls to the directory.
    1. LDAP Signing Event IDs – 2886, 2887, 2888, 2889
    2. LDAP Channel Binding Event IDs – 3039, 3040
  2. In March 2020, apply the security update which will add additional audit events, logging, and a remapping of Group Policy values to help identify and address insecure LDAP communications.
  3. Begin to update and remediate clients that are communicating with the directory insecurely. Most modern applications support secure LDAP communications.
  4. Update the LDAP signing and LDAP channel binding settings in your environment to ensure you are in the desired state for your organization.

References

Security Advisory

Tech Community

***NOTE: The information provided is based on the security advisory provided by Microsoft at the time of writing. Please regularly check the security advisory link above for updates from Microsoft on what is changing in the March 2020 update and beyond.

If your organization needs assistance with your Active Directory, our expert team can help! Contact us today! Call +1 877 862 1617 or email now.

Check out OCG’s upcoming webinars here