News

Microsoft's LDAP Configuration Changes Put on Hold

• By Kurt Mackie
• 02/05/2020

Microsoft's planned changes to the Lightweight Directory Access Protocol (LDAP) will not take effect until the second half of this year.

Update 3/2: More information can be found in this Microsoft FAQ article dated Feb. 28.

The company announced the delay in a Tuesday update to Security Advisory ADV190023. That advisory, originally published back in August, described turning on improvements in LDAP channel binding and LDAP signing for Active Directory domain controllers to add better protections against potential man-in-the-middle attacks. The improvements are expected to harden the security of those two components.

"There is a vulnerability in the default configuration for Lightweight Directory Access Protocol (LDAP) channel binding and LDAP signing and may expose Active directory domain controllers to elevation of privilege vulnerabilities," Microsoft explained in an accompanying support article.

LDAP is an open client-server protocol for use with various directory services that store accounts and passwords. It's used with Microsoft's Active Directory identity and access management service.

In September, Microsoft had indicated that these LDAP configuration changes would arrive starting in mid-January 2020. However, the revised Security Advisory ADV190023 now suggests that the configuration changes will arrive with the March 2020 Windows updates, but will only get enforced with "a further future monthly update, anticipated for release the second half of calendar year 2020."

Microsoft plans send a notice to its customers when the March updates for LDAP channel binding and LDAP signing are available.

There are no workarounds or "mitigations" for these LDAP components in the meantime. Microsoft proposed that IT pros could make manual changes to them, but that compatibility issues could arise.

Microsoft's initial delay on the configuration changes, explained back in September, was to give IT pros more testing time. Some organizations only make configuration changes after the holiday season, Microsoft had explained back then.

However, a PatchManagement.org forum discussion thread (sign-up required) suggested that Microsoft was still completing work on enabling the configuration changes in its patches. More details will be provided in this Microsoft blog post, Microsoft promised, according to that PatchManagement.org thread.