XMedius' Position Regarding Microsoft Security Advisory ADV190023 on LDAP Channel Binding and Signing

Administrator -

Context

On August 13, 2019, Microsoft published Security Advisory ADV190023 recommending the use of Group Policies to enforce LDAP Channel Binding and Signing in response to a privilege escalation vulnerability found in Active Directory Domain Controllers.

The purpose of this advisory was to encourage AD administrators to deny any form of LDAP authentication that passes credentials in clear text, and thus reduce the risk of man-in-the-middle attacks (when LDAP Channel Binding and Signing is disabled, LDAP authentication sends credentials in clear text, similar to basic authentication).

Unless they have been manually modified, LDAP Channel Binding and Signing policies are "Not set" by default, which effectively means they are "Disabled".

Initially, Microsoft planned to publish a forced security update that would change the meaning of the default value "Not set" from "Disable" to "Enable". In other words, had this security update been published, LDAP Channel Binding and Signing would have become the new default for all LDAP queries, resulting in the failure of all non-encrypted LDAP authentications to AD servers.

Microsoft have since reversed their decision and postponed changing the default values of LDAP Channel Binding and Signing.

XMedius recommends enabling LDAP Channel Binding and Signing

For extra security, XMedius recommends observing Microsoft's advisory and enabling LDAP Channel Binding and Signing in Group Policies.

Once these policies are enabled and your AD server is properly configured, you will need to switch to LDAP StartTLS (XM Fax 9.0+) or LDAPS (XM Fax 8.0 and below) in XM Fax for your LDAP server authentication.

Please refer to the KB article Configuring XM Fax for LDAP StartTLS (XM Fax 9.0+) or LDAPS (XM Fax 8.0 and Below) to learn how to enable LDAP StartTLS or LDAPS in XM Fax.

Have more questions? Submit a request

Comments

Powered by Zendesk