Executive Summary

LDAP channel binding and LDAP signing provide ways to increase the security for communications between LDAP clients and Active Directory domain controllers. A set of unsafe default configurations for LDAP channel binding and LDAP signing exist on Active Directory domain controllers that let LDAP clients communicate with them without enforcing LDAP channel binding and LDAP signing. This can open Active Directory domain controllers to an elevation of privilege vulnerability.

Microsoft is aware that when these default configurations are used, an elevation of privilege vulnerability exists in Microsoft Windows that could allow a man-in-the-middle attacker to successfully forward an authentication request to a Windows LDAP server, such as a system running AD DS, which has not configured to require channel binding, and signing or sealing on incoming connections.

Microsoft is addressing this vulnerability by providing recommendations for administrators to harden the configurations for LDAP channel binding and LDAP signing on Active Directory domain controllers as follows:

1. In August 2019, Microsoft published ADV190023 with the following recommendations for settings:

1. LDAP signing to **Require Signing** in group policy.
2. Channel Binding Token (CBT) to **1** as a registry key or set the**Domain controller: LDAP server channel binding token requirements**group policy to**When Supported** after installing the March 10, 2020 updates.

2. On March 10, 2020, Windows updates will add options for administrators to harden the configurations for LDAP channel binding on Active Directory domain controllers. The updates add:

1. **Domain controller: LDAP server channel binding token requirements** group policy.
2. CBT signing events 3039, 3040, and 3041 with event source **Microsoft-Windows-ActiveDirectory_DomainService** in the Directory Service event log.

3. On August 8, 2023, Windows Updates for Server 2022 will add options for administrators to audit client machines that cannot utilize LDAP channel binding tokens via events on Active Directory domain controllers. The updates add the capability to enable CBT events 3074 & 3075 with event source Microsoft-Windows-ActiveDirectory_DomainService in the Directory Service event log.

4. On October 10, 2023, Windows updates for Server 2019 will add options for administrators to audit those clients. The updates add the capability to enable CBT events 3074 & 3075 with event source Microsoft-Windows-ActiveDirectory_DomainService in the Directory Service event log.

5. On October 17, 2023, Microsoft released Windows Server 2022, 23H2 Edition (Server Core installation). This version includes the options for administrators to audit client machines that cannot utilize LDAP channel binding tokens via events on Active Directory domain controllers, and includes the capability to enable CBT events 3074 & 3075 with event source Microsoft-Windows-ActiveDirectory_DomainService in the Directory Service event log.

6. With the release of the November 14, 2023 security updates, the auditing changes added in August 2023 are now available on Windows Server 2022. You do not need to install MSIs or create policies as mentioned in Step 3 of Recommended Actions.

7. With the release of the January 9, 2024 security updates, the auditing changes added in August 2023 are now available on Windows Server 2019. You do not need to install MSIs or create policies as mentioned in Step 3 of Recommended Actions.

Important The March 10, 2020 and updates in the foreseeable future willnot make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers.

Note that LDAP signing Domain controller: LDAP server signing requirements policy already exists in all supported versions of Windows.

Recommended Actions

Microsoft recommends that administrators configure LDAP signing and LDAP channel binding as recommended in Step One of the Executive Summary of this advisory and as described in detail in KB4520412: 2020 and 2023 LDAP channel binding and LDAP signing requirements for Windows.

How to get notified of updates to this advisory

When the March 10, 2020 Windows updates become available, customers will be notified via a revision to this advisory. If you wish to be notified when these update are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

References

See the following Microsoft Knowledge Base articles for detailed guidance on how to enable LDAP channel binding and LDAP signing on Active Directory domain controllers:

• KB4520412: 2020 and 2023 LDAP channel binding and LDAP signing requirements for Windows
• KB4034879: LDAP channel binding
• KB935834: LDAP signing
• KB4546509: Frequently asked questions about changes to Lightweight Directory Access Protocol

FAQ

Where can I find further answers to my questions?

For a list of Frequently Asked Questions on LDAP channel binding and LDAP signing on Active Directory Domain Controllers, see KB4546509: Frequently asked questions about changes to Lightweight Directory Access Protocol. See also KB4520412: 2020 and 2023 LDAP channel binding and LDAP signing requirements for Windows.