IBM Security MaaS360

Important Information Regarding Microsoft LDAP Channel Binding

By Matt Shaver posted Mon February 10, 2020 01:21 PM



Recently Microsoft published an article detailing some changes they were making regarding LDAP Channel Binding and Signing:

While these changes were originally slated to be enabled in a March 2020 update to Windows services, they have since scaled back the update so that the changes will not be implemented automatically, but are still recommended. 

The contents of the article can be boiled down to this: Any systems that are bound to Microsoft Active Directory Lightweight Directory Services that are not protected by SSL/TLS encryption are at risk of being negatively impacted.

What does this mean for MaaS360 admins?

MaaS360 clients with deployed Cloud Extenders may need to make some slight alterations to their configuration depending on the settings.  While MS has reverted their original position that they will be making these changes automatically with the March update, they still strongly recommend that clients do make them at some point, and could potentially still force the update in the future.  MaaS360 recommends that admins check their environments and ensure that they have what is required should their security teams enforce the Microsoft recommended settings.

What if the LDAP changes are made?

A large portion of our clientele will remain unaffected.   From our testing only Cloud Extenders with LDAP Visibility/Authentication configured with a bind account set using Basic Auth without SSL were impacted.  If NTLM, Digest, or Kerberos auth were set without SSL, the CE functioned normally.  All services set with SSL were not impacted.

We recommend that all of our clients leveraging the LDAP Authentication or Visibility modules with Microsoft Active Directory update their services to use SSL and change the port on the server from 389 to 636 or 3269.  This may require coordination with security and LDAP/AD teams.

We recommend that all clients follow the recommended security practices and enable SSL even if there is no intention of adopting the LDAP Channel Binding and Signing policy updates in March.