1. In the latest installment of the Active Directory Hardening Series, Jerry Devore discusses the importance of enforcing LDAP channel binding to enhance security against relay and MITM attacks. He explains how channel binding, when combined with LDAP signing, helps ensure the integrity of TLS sessions, thereby protecting sensitive data during transmission.2.
“`html
Active Directory Hardening: Enforcing LDAP Channel Binding
In the latest installment of the Active Directory Hardening series, Jerry Devore dives into the essential topic of LDAP channel binding. This critical security measure is designed to bolster the protection against relay and Man-in-the-Middle (MITM) attacks.
What’s New?
Channel binding is a relatively new concept in the realm of LDAP security. It aims to ensure that the TLS session used for LDAP connections remains intact throughout the session’s duration. This is crucial because it closes a potential loophole where an attacker could terminate and manipulate the TLS session.
“Channel binding helps close this loophole by ensuring the TLS session used to start the connection remains the TLS session for the lifetime of the session.”
Major Updates in Enforcement Settings
LDAP Channel Binding support was first introduced in March 2020 and has been backported to Windows Server 2008. The Group Policy Object (GPO) setting for enforcement is named Domain controller: LDAP server channel binding token requirements. This setting manages the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LdapEnforceChannelBinding.
There are three enforcement options:
- Never: No channel binding validation is performed.
- When supported: Clients that do not provide a valid Channel Binding Token (CBT) will be rejected.
- Always: Any connection lacking a valid CBT will be rejected, regardless of client support.
Importantly, channel binding is not enabled by default, and changes take effect immediately without requiring a reboot.
What’s Important to Know?
While simple binds do not utilize Extended Protection for Authentication (EPA) or CBTs, enforcing channel binding will not adversely affect simple binds over TLS. However, it is essential to ensure that clients support EPA, introduced in August 2009, to benefit from this security measure.
“When SASL binds are made over TLS, the TLS session security replaces the session security offered by LDAP signing.”
For organizations using Windows Server 2019 or newer, auditing is straightforward. The system logs events whenever a client binds without providing a CBT, allowing for effective monitoring and troubleshooting.
In conclusion, enforcing LDAP channel binding is a significant step towards enhancing Active Directory security. By understanding these updates, IT professionals can better protect their networks from potential threats.
“`From the Core Infrastructure and Security Blog
Security hardening changes needed on domain controllers in IT environments to address CVE-2022-37967 will enter the Third deployment phase, as Read more
What is Azure Monitor? Azure Monitor is a service that provides a single source for monitoring Azure resources. It provides Read more
Azure Data Studio Connections to Azure Government Azure Data Studio is an open source, cross-platform database tool for data professionals Read more
What is Kubernetes External DNS? Kubernetes External DNS is a service that allows users to manage and configure public DNS Read more
