LDAP Channel Binding and LDAP Signing Requirements for Windows

  • 7024664
  • 03-Jun-2020
  • 09-Jun-2020

Environment

Host Access Management and Security Server (MSS)
Reflection for the Web (RWeb) 12.2 and earlier
Microsoft Windows Servers
Lightweight Directory Access Protocol (LDAP)
Port 389/3268
Port 636/3269

Situation

Microsoft has issued a Security Advisory (ADV190023) which addresses a vulnerability with the default LDAP configuration in Windows Servers. The advisory recommends changing settings for LDAP channel binding and LDAP signing.

The recommended changes will mitigate an attacker's ability to elevate privileges and create a man-in-the-middle situation.

Resolution

Follow the Security Advisory's recommended actions: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

Micro Focus' Management and Security Server (MSS) already supports these settings. MSS only needs to be configured for LDAPS on port 636 or 3269. It is recommended customers move to LDAPS when possible to avoid potential compatibility issues if Microsoft changes their default properties via a Service Pack or Security Update.

Cause

Earlier versions of Windows Servers did not enable sufficient security settings to thwart off this type of attack.

Status

Security Alert

Additional Information

Microsoft has implemented these changes in newer version of their operating systems. They may or may not change the default properties to enable these settings in future Service Packs or Security Updates.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.