Microsoft Delaying LDAP Configuration Changes to 2H 2020

Microsoft expects to delay enforcement of configuration changes to the Lightweight Directory Access Protocol (LDAP) until the second half of this year, according to a Tuesday update to Security Advisory ADV190023.

Update 3/2: More information can be found in this Microsoft FAQ article dated Feb. 28.

That advisory, originally published back in August, described turning on improvements in LDAP channel binding and LDAP signing for Active Directory domain controllers to add better protections against potential man-in-the-middle attacks. The improvements are expected to harden the security of those two components.

"There is a vulnerability in the default configuration for Lightweight Directory Access Protocol (LDAP) channel binding and LDAP signing and may expose Active directory domain controllers to elevation of privilege vulnerabilities," Microsoft explained in an accompanying support article.

LDAP is an open client-server protocol for use with various directory services that store accounts and passwords. It's used with Microsoft's Active Directory identity and access management service.

In September, Microsoft had indicated that these LDAP configuration changes would arrive starting in mid-January 2020. However, the revised Security Advisory ADV190023 now suggests that the configuration changes will arrive with the March 2020 Windows updates, but will only get enforced with "a further future monthly update, anticipated for release the second half of calendar year 2020."

Microsoft plans send a notice to its customers when the March updates for LDAP channel binding and LDAP signing are available.

There are no workarounds or "mitigations" for these LDAP components in the meantime. Microsoft proposed that IT pros could make manual changes to them, but that compatibility issues could arise.

Microsoft's initial delay on the configuration changes, explained back in September, was to give IT pros more testing time. Some organizations only make configuration changes after the holiday season, Microsoft had explained back then.

However, a forum discussion thread (sign-up required) suggested that Microsoft was still completing work on enabling the configuration changes in its patches. More details will be provided in this Microsoft blog post, Microsoft promised, according to that thread.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

  • Microsoft Open License To End Next Year for Government and Education Groups

    Microsoft's "Open License program" will end on Jan. 1, 2022, and not just for commercial customers, but also for government, education and nonprofit organizations.

  • Dealing with a Hyper-V VM That's Stuck on Screen

    A three-keystroke solution to a problem that has no discernible cause.

comments powered by Disqus