Microsoft Delaying LDAP Configuration Changes to 2H 2020

Microsoft expects to delay enforcement of configuration changes to the Lightweight Directory Access Protocol (LDAP) until the second half of this year, according to a Tuesday update to Security Advisory ADV190023.

Update 3/2: More information can be found in this Microsoft FAQ article dated Feb. 28.

That advisory, originally published back in August, described turning on improvements in LDAP channel binding and LDAP signing for Active Directory domain controllers to add better protections against potential man-in-the-middle attacks. The improvements are expected to harden the security of those two components.

"There is a vulnerability in the default configuration for Lightweight Directory Access Protocol (LDAP) channel binding and LDAP signing and may expose Active directory domain controllers to elevation of privilege vulnerabilities," Microsoft explained in an accompanying support article.

LDAP is an open client-server protocol for use with various directory services that store accounts and passwords. It's used with Microsoft's Active Directory identity and access management service.

In September, Microsoft had indicated that these LDAP configuration changes would arrive starting in mid-January 2020. However, the revised Security Advisory ADV190023 now suggests that the configuration changes will arrive with the March 2020 Windows updates, but will only get enforced with "a further future monthly update, anticipated for release the second half of calendar year 2020."

Microsoft plans send a notice to its customers when the March updates for LDAP channel binding and LDAP signing are available.

There are no workarounds or "mitigations" for these LDAP components in the meantime. Microsoft proposed that IT pros could make manual changes to them, but that compatibility issues could arise.

Microsoft's initial delay on the configuration changes, explained back in September, was to give IT pros more testing time. Some organizations only make configuration changes after the holiday season, Microsoft had explained back then.

However, a forum discussion thread (sign-up required) suggested that Microsoft was still completing work on enabling the configuration changes in its patches. More details will be provided in this Microsoft blog post, Microsoft promised, according to that thread.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Microsoft Starting To Roll Out New Excel Connected Data Types

    Microsoft on Thursday announced some Excel and Power BI enhancements that add "connected data types" on top of the standard strings and numbers options.

  • Windows 10 Users Getting New Process for Finding Optional Driver Updates

    Accessing Windows 10 drivers classified as "optional updates" will be more of a manual seek-and-install type of experience, starting on Nov. 5, 2020, Microsoft explained in a Wednesday announcement.

  • Microsoft Changes Privacy Platform Name to SmartNoise

    Microsoft Research has changed the name of its "differential privacy" platform from "WhiteNoise" to "SmartNoise," according to a Wednesday announcement.

  • Why Restarting a Failed SCVMM Job Might Be a Bad Idea

    Occasionally, restarting a failed System Center Virtual Machine Manager job can leave your virtualization infrastructure in an unknown state. Here's how to avoid that.

comments powered by Disqus