Windows 10: Security Advisory ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP...

Discus and support Security Advisory ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP... in AntiVirus, Firewalls and System Security to solve the problem; I've been reviewing ADV190023 (which seems to indicate that insecure LDAP binds will no longer be permitted in Active Directory after January 2020). I... Discussion in 'AntiVirus, Firewalls and System Security' started by FrancisSwipes, Oct 9, 2019.

  1. Security Advisory ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP...


    I've been reviewing ADV190023 (which seems to indicate that insecure LDAP binds will no longer be permitted in Active Directory after January 2020). I made the changes to the Windows Registry on my Domain Controllers to get detailed logging information about applications/computers performing either simple LDAP binds or unsigned SASL binds.


    I found that the vast majority of the Event log entries were for OSX computers which were bound to AD and performing unsigned SASL binds. These generated Event ID 2889 in the Directory Service log. By my reading of the Security Advisory, unsigned SASL binds will no longer be permitted after January 2020 so I worked on making the MAC OSX machines use SSL when communicating to AD.


    I made the suggested registry changes on a Test Domain Controller - those changes supposedly will not allow simple LDAP binds or unsigned SASL binds. I tried the test which was specified with LDS and a simple bind and that failed with a "requires a higher level of security" message, which is what was expected.


    However, even after configuring a MAC OSX computer to use SSL (I verified that it is using port 636 Tcp to "talk" to the DC) I am getting Event ID 2889 in the Directory Service log indicating that the MAC is still using an unsigned SASL bind. The bind/login process works (I am able to successfully authenticate as an AD user on the MAC over SSL) but the continued error in the Event log bothers me.


    key points:
    1. If I make the "don't allow insecure LDAP binds" changes on the DC and don't make any changes on the MAC, I am still able to bind/authenticate to AD from the MAC. The Security Advisory seems to indicate that this should fail, but my tests don't agree. Event ID 2889 is generated in the Directory Service Event Log.

    2. If I force the MAC to use SSL to talk to AD (after making the "don't allow insecure LDAP binds" change on the DC) I am able to bind/authenticate to AD from the MAC and I still get the 2889 entry in the DS Event Log. There doesn't seem to be any change in behavior from the Windows side.


    Am I mis-reading the Security Advisory? Or is there some other change (other than the three registry changes outlined in the Security Advisory) that need to happen on the DC? I would like this to be a non-issue when Microsoft pushes this change out in January.

    :)
     
    FrancisSwipes, Oct 9, 2019
    #1
  2. Coxclan5 Win User

    LDAP issue

    Trying to sign on to a webmail, and I keep getting an LDAP error. Any suggestions?

    ***Post moved by the moderator to the appropriate forum category.***
     
    Coxclan5, Oct 9, 2019
    #2
  3. ldap bind issues

    I have several Windows Servers that utilize ldap. Some of them show on the domain controllers as event id 2889, but others do not. These servers are not on the domain. My question is why are some of the servers not showing that event id?
     
    Parweez Popal, Oct 9, 2019
    #3
  4. 3870x2 Win User

    Security Advisory ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP...

    LDAP Directory Program

    Bump! Anyone with an available LDAP directory can test this. If an LDAP directory is read only access to everyone (most are by default), you will be able to access it without the Username or Password field, possibly even beyond the DMZ in some instances.
     
    3870x2, Oct 9, 2019
    #4
Thema:

Security Advisory ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP...

Loading...
  1. Security Advisory ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP... - Similar Threads - Security Advisory ADV190023

  2. Microsoft Whiteboard Enablement - security questions

    in Windows 10 Software and Apps
    Microsoft Whiteboard Enablement - security questions: Good Day Our company would like to enable Whiteboard for usage however I am unable to find material on: - Where is Whiteboard info saved when either using a Win 10 device , Android or IOS, , we don't use surface books. (this is via the app and web client ) ? - I saw...
  3. LDAP Client

    in Windows 10 Network and Sharing
    LDAP Client: Hi everybody, whats options I have for connect and login authentification of multilples Windows 10 HOME Edition at my LDAP Server Linux ? Any different options to PGINA software? Best regards...
  4. Microsoft Security Advisory for self-encrypting drives

    in Windows 10 News
    Microsoft Security Advisory for self-encrypting drives: Microsoft published the security advisory ADV180028, Guidance for configuring BitLocker to enforce software encryption, yesterday. The advisory is a response to the research paper Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs) by the...
  5. Intel NUC Firmware Security Advisory

    in Windows 10 News
    Intel NUC Firmware Security Advisory: Intel ID: INTEL-SA-00176 Advisory Category: Firmware Impact of vulnerability: Escalation of Privilege, Denial of Service, Information Disclosure Severity rating: HIGH Original release: 09/11/2018 Last revised: 09/11/2018 Summary: A potential security vulnerability in...
  6. Surface Guidance for speculative execution side-channel vulnerability

    in Windows 10 News
    Surface Guidance for speculative execution side-channel vulnerability: Surface Guidance to protect against speculative execution side-channel vulnerabilities Applies to: Surface Pro 4, Surface Book, Surface Studio, Surface Pro (latest), Surface Laptop, Surface Pro with LTE Advanced, Surface Book 2 - 13 inch, Surface Book 2 - 15 inch...
  7. Adobe Security Advisory

    in Browsers and Email
    Adobe Security Advisory: Adobe Security Advisory Security Advisory for Adobe Flash Player Release date: May 10, 2016 Vulnerability identifier: APSA16-02 CVE number: CVE-2016-4117 Platforms: Windows, Macintosh, Linux and Chrome OS Summary A critical vulnerability...
  8. Microsoft security advisory: Update for vulnerabilities in Adobe Flash

    in Windows 10 News
    Microsoft security advisory: Update for vulnerabilities in Adobe Flash: Microsoft security advisory: Update for vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge: December 8, 2015 Microsoft has released a security advisory for IT professionals about vulnerabilities in Adobe Flash Player in the following web...
  9. Microsoft Security Advisory 4053440

    in Windows 10 News
    Microsoft Security Advisory 4053440: Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields Published: November 8, 2017 Version: 1.0 Overview Executive Summary Microsoft is releasing this security advisory to provide information regarding security settings for...
  10. Microsoft Security Advisory 4010983

    in Windows 10 News
    Microsoft Security Advisory 4010983: Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of Service Executive Summary Microsoft is releasing this security advisory to provide information about a vulnerability in the public versions of ASP.NET Core MVC 1.1.0. This advisory also provides guidance on...