Urgent Tech Update – Microsoft advisory ADV190023
Microsoft has released ADV190023 and recommends that both LDAP channel binding and LDAP signing are enabled. A future Windows update, scheduled for release in March 2020, enables both options on domain controllers by default. The update enhances security between Active Directory and Client communications.
For information about ADV190023, Click here.
Possibly affected products:
- McAfee (see information below)
- Fortinet (see information below)
- Proofpoint (see information below)
- Every product that uses LDAP as a backend authentication
McAfee SNS information
ePO uses LDAP for many critical functions such as:
- Active Directory Synchronization
- User-based policy assignments
- Windows Authentication
This is also related to McAfee Drive Encryption, File and Removable Media Protection and any other product using users linked to LDAP.
As a result of these changes, when you use the default settings on a Microsoft LDAP Server after the March update:
- ePO cannot connect to the Microsoft LDAP servers unless LDAPS is used.
- If you do not configure domain controllers to use TLS and you enable LDAP channel binding and LDAP signing, you cannot establish non-TLS connections.
These changes are intentional and are part of the recommended hardening according to Microsoft’s advisory.
You must prepare your environment for these changes when LDAP connectivity is in play.
For more information and available resolutions, see KB92298.
Fortinet has published an article on how to configure LDAP in your FortiGate. The article provides a detailed look into the LDAP configuration options in FortiOS, focusing on network connectivity, and gives some examples for their usage. Read the full article for more information.
The standard protocol for reading data to Active Directory is LDAP. LDAP traffic is unsecured by default. To make LDAP traffic secure, you can use the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocols. This combination is referred to as LDAP over SSL — or LDAPS.
To see how you can configure Active Directory Sync in Proofpoint Essentials, please read this article.