Microsoft Urges LDAP Workaround Fix for Windows Systems

Microsoft updated an August security advisory this week to urge organizations using the Lightweight Directory Access Protocol (LDAP) in supported Windows systems to implement some configuration changes manually.

The details are described in this Windows support article, dated September 10. In addition, Microsoft updated its August security advisory ADV190023, which now includes similar information about carrying out a workaround fix for LDAP.

In essence, organizations are being asked to add LDAP channel binding and LDAP signing configuration changes to make authentications via LDAP on Active Directory Domain Controllers more secure. Currently, out-of-box LDAP configurations are subject to an elevation-of-privilege vulnerability, which could get exploited via a "man-in-the-middle" attack.

Here's how the support article characterized the vulnerability, which potentially lets attackers impersonate end users and change packet information:

Unsigned network traffic is susceptible to replay attacks in which an intruder intercepts the authentication attempt and the issuance of a ticket. The intruder can reuse the ticket to impersonate the legitimate user. Additionally, unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures packets between the client and the server, changes the packets, and then forwards them to the server. If this occurs on an LDAP server, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client.

LDAP is an industry standard, but it's used in Windows systems to "read from and write to the Active Directory database," Microsoft explained in this old blog post.

Microsoft is planning to issue a patch that will automatically implement these recommended LDAP configuration changes. The patch will be arriving via the Windows Update service, starting "in mid-January 2020." Microsoft actually is delaying the release of this patch to accommodate organizations that only make their configuration changes after the holiday season.

In the meantime, though, Microsoft wants organizations to add the configuration changes manually. However, organizations making the recommended changes could encounter "compatibility issues."

"If any compatibility issue is found, administrators will need to contact the manufacturer of that particular OS, application or device for support," Microsoft warned in the "Recommended Actions" section of its support article. Applications or devices that carry out "man-in-the-middle inspection of LDAP traffic" could get affected by the changes, too.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Google Goes Live with Managed Service for Microsoft Active Directory

    Google's Managed Service for Microsoft Active Directory is now a "generally available" service, according to a Thursday Google announcement.

  • Dell Sells RSA Assets for $2 Billion

    Dell's RSA security solutions businesses, including the RSA Conference, were bought by a consortium of companies for about $2 billion, according to Tuesday announcements.

  • How To Get Started as a Windows Insider

    Microsoft's Windows Insider program is invaluable for IT pros who want to test drive new Windows 10 features before the update rolls out to their entire organization. If you haven't already signed up to be an Insider, here's how to do it.

  • Old Fashioned Mics

    Microsoft Preps for RSA Conference with Multiple Security Product Announcements

    Microsoft announced various enterprise security solution product milestones this week in advance of the forthcoming RSA Conference, which will start on Feb. 24.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.