News

Microsoft Urges LDAP Workaround Fix for Windows Systems

Microsoft updated an August security advisory this week to urge organizations using the Lightweight Directory Access Protocol (LDAP) in supported Windows systems to implement some configuration changes manually.

The details are described in this Windows support article, dated September 10. In addition, Microsoft updated its August security advisory ADV190023, which now includes similar information about carrying out a workaround fix for LDAP.

In essence, organizations are being asked to add LDAP channel binding and LDAP signing configuration changes to make authentications via LDAP on Active Directory Domain Controllers more secure. Currently, out-of-box LDAP configurations are subject to an elevation-of-privilege vulnerability, which could get exploited via a "man-in-the-middle" attack.

Here's how the support article characterized the vulnerability, which potentially lets attackers impersonate end users and change packet information:

Unsigned network traffic is susceptible to replay attacks in which an intruder intercepts the authentication attempt and the issuance of a ticket. The intruder can reuse the ticket to impersonate the legitimate user. Additionally, unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures packets between the client and the server, changes the packets, and then forwards them to the server. If this occurs on an LDAP server, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client.

LDAP is an industry standard, but it's used in Windows systems to "read from and write to the Active Directory database," Microsoft explained in this old blog post.

Microsoft is planning to issue a patch that will automatically implement these recommended LDAP configuration changes. The patch will be arriving via the Windows Update service, starting "in mid-January 2020." Microsoft actually is delaying the release of this patch to accommodate organizations that only make their configuration changes after the holiday season.

In the meantime, though, Microsoft wants organizations to add the configuration changes manually. However, organizations making the recommended changes could encounter "compatibility issues."

"If any compatibility issue is found, administrators will need to contact the manufacturer of that particular OS, application or device for support," Microsoft warned in the "Recommended Actions" section of its support article. Applications or devices that carry out "man-in-the-middle inspection of LDAP traffic" could get affected by the changes, too.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.

Featured

  • Top 4 Overlooked Features of a Data Backup Strategy

    When it comes to implementing an airtight backup-and-recovery plan, these are the four must-have features that many enterprises nevertheless tend to forget.

  • Microsoft Bolsters Kubernetes with Azure Confidential Computing

    Microsoft on Tuesday announced various developments concerning the use of Kubernetes, an open source container orchestration solution fostered by Google.

  • Windows Has Support for Encrypted DNS

    Microsoft announced this week that the Windows operating system already has support for an encrypted Domain Name System option that promises to add greater privacy protections for Internet connections.

  • The Datacenter in 2020 and Beyond: More Edge, 'As-a-Service' and AI

    The next few years are going to be lively ones for the datacenter, according to research firm IDC's "Futurescape" report.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.