{"id":6529,"date":"2023-01-05T06:17:38","date_gmt":"2023-01-05T06:17:38","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=6529"},"modified":"2025-04-01T22:58:48","modified_gmt":"2025-04-01T22:58:48","slug":"ldaps-channel-binding","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/ldaps-channel-binding","title":{"rendered":"LDAPS\\LDAP Channel Binding"},"content":{"rendered":"\n

2020 LDAP channel binding and LDAP signing requirements for Windows (KB4520412)<\/p>\n\n\n\n

<\/p>\n\n\n\n

https:\/\/evotec.xyz\/four-commands-to-help-you-track-down-insecure-ldap-bindings-before-march-2020\/<\/a><\/p>\n\n\n\n

https:\/\/www.petenetlive.com\/kb\/article\/0001645<\/a><\/p>\n\n\n\n

https:\/\/techcommunity.microsoft.com\/t5\/core-infrastructure-and-security\/ldap-channel-binding-and-ldap-signing-requirements-march-2020\/ba-p\/921536<\/a><\/p>\n\n\n\n

If the LdapEnforceChannelBinding key is not present, the server will use the new default value of 2 (enforced) after the patch with the LDAP changes is applied (rescheduled to 2nd half of 2020 – NOT in March 2020).<\/p>\n\n\n\n

If you set it manually to 0, 1 or 2 the patch will have no effect, since windows will always respect this manual setting.<\/p>\n\n\n\n

Important<\/strong> The March 10, 2020 updates do not change LDAP signing or LDAP channel binding default policies or their registry equivalent on new or existing Active Directory domain controllers.

Enable Logging<\/strong><\/p>\n\n\n\n

Reg Add HKLM\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Diagnostics \/v \u201c16 LDAP Interface Events\u201d \/t REG_DWORD \/d 2<\/pre>\n\n\n\n
<\/p>\n\n\n\n
LDAP Signing Events<\/h3>\n\n\n\n
Let\u2019s start with LDAP Signing event logs. Remember that these logs exist since Windows Server 2008, and available regardless of the March 10 Windows Update.<\/p>\n\n\n\n
Event ID<\/strong><\/td>General Description<\/strong><\/td>Trigger<\/strong><\/td>Required Logging Level<\/strong><\/td><\/tr>
2886<\/a><\/td>A summary event-triggered once every 24 hours and indicating that this domain controller is not aligned with Microsoft\u2019s best practices and can be significantly improved by configuring the server to enforce validation of LDAP signing.<\/td>Triggered every 24 hours, on startup or start of service if the Group Policy (Domain controller: LDAP server signing requirements) is set to None.<\/td>0 or higher<\/td><\/tr>
2887<\/a><\/td>A summary event-triggered once every 24 hours and indicating how many LDAP binds that do not request signing and LDAP simple binds that are performed on cleartext have occurred.<\/td>Triggered every 24 hours when Group Policy (Domain controller: LDAP server signing requirements) is set to None and at least one unprotected bind was completed.<\/td>0 or higher<\/td><\/tr>
2888<\/a><\/td>A summary event-triggered once every 24 hours and indicating how many LDAP binds that do not request signing and LDAP simple binds that are performed on cleartext have occurred (and rejected due to the \u201cRequire Signing\u201d option).<\/td>Triggered every 24 hours when the Group Policy (Domain controller: LDAP server signing requirements) is set to Require Signing and at least one unprotected bind was rejected.<\/td>0 or higher<\/td><\/tr>
2889<\/a><\/td>An event triggered every time a client performs LDAP binds that do not request signing or LDAP simple binds using cleartext. The event includes the client IP address and the authentication context (like authenticated user).<\/td>Triggered every time a client does not use signing for binds on sessions on port 389.<\/td>2 or higher<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n

<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
You can use Registry
Reg Add HKLM\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters \/v “LdapEnforceChannelBinding” \/t REG_DWORD \/d 2<\/p>\n\n\n\n
Also if you download the latest SCT 1.0 (security compliance toolkit) https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=55319 <\/a>you will find template “SecGuide.admx” and language file “SecGuide.adml” that you can import in your policies (Central Store or C:\\Windows\\PolicyDefinitions) and from which you can manage Extended Protection for LDAP…..(CBT)<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
Consider modifying Group Policy setting \u201cDomain controller: LDAP server channel binding token requirements\u201d as \u201cWhen Supported\u201d. Remember to check that CVE-2017-8563<\/a> is installed on any supported OS.<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
Configuring the clients<\/h2>\n\n\n\n
How to enable LDAP signing – Windows Server | Microsoft Learn<\/a><\/p>\n\n\n\n
Using a new group policy, first change the settings Network security: LDAP client signing requirements<\/strong>.<\/p>\n\n\n\n
This can be found under: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options<\/strong>.<\/p>\n\n\n\n
<\/a><\/p>\n\n\n\n
Group policy to prepare clients for LDAP signing<\/p>\n\n\n\n
The option is set to Negotiate signing<\/strong>. Wait until the setting has been applied to all clients.<\/p>\n\n\n\n
Adjusting the domain controller<\/h2>\n\n\n\n
As soon as the change has affected all clients, create another group policy. In the same path as in the previous step, modify the setting Domain controller: LDAP server signing requirements<\/strong>.<\/p>\n\n\n\n
<\/a><\/p>\n\n\n\n
Enforce signing of the LDAP communication for the domain controller<\/p>\n\n\n\n
There, select the Require signing<\/strong> option. Then, link the GPO to the domain controller<\/strong> container.<\/p>\n\n\n\n
Finalizing the clients<\/h2>\n\n\n\n
If the changes are now also active on the DCs, the group policy from the first step can be adapted so that the clients also require LDAP signing.<\/p>\n\n\n\n
The option Network security: LDAP client signing requirements<\/strong> can now simply be changed from Negotiate signing<\/strong> to Require signing<\/strong>.<\/p>\n\n\n\n
Activating channel binding<\/h2>\n\n\n\n
Channel binding is configured on the domain controllers by adding or modifying a corresponding entry in the registry. If it does not already exist, create a new DWORD entry under HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\NTDS\\Parameters<\/strong> with the description LdapEnforceChannelBinding<\/strong>. The values to be assigned are as follows:<\/p>\n\n\n\n
DWORD-Value 0: Disabled<\/p>\n\n\n\n
DWORD-Value 1: Enabled, if supported<\/p>\n\n\n\n
DWORD-Value 2: Always enabled<\/p>\n\n\n\n
In the long term, a value of 2 is recommended, but for the transition phase, the option with a value of 1 can be a good compromise. After the change, the respective domain controller must be restarted.<\/p>\n\n\n\n
Since the March 2020 update, the group policy Domain controller: LDAP server channel binding token requirements<\/strong> has been available for this purpose. There, you can choose between the options Never<\/strong>, When supported<\/strong>, and Always<\/strong>.<\/p>\n\n\n\n
<\/a><\/p>\n\n\n\n
Configuring channel binding for domain controllers via GPO<\/p>\n\n\n\n
<\/p>\n\n\n\n
Before<\/strong> January 2020 Update:
– Install all required Updates
– All DCs: Reg Add HKLM\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Diagnostics \/v “16 LDAP Interface Events” \/t REG_DWORD \/d 2
– All DCs: Monitor 2887 and 2889 Events
– All DCs: LDAP Channel Binding = 1 (Before Jan 2020 updates this setting is 0)
– Group Policy (Domain Level): Network security: LDAP client signing requirements: None (Before Jan 2020 updates this setting is Negotiate Signing)
– Group Policy (Domaincontrollers): Domain controller: LDAP server signing requirements: NoneAfter January 2020 Update:
– Domain controller: LDAP server signing requirements: Require (from Update)
– All DCs: LDAP Channel Binding = 1 (from Update)
– All DCs: Monitor 2888 EventsIf Problems:
– Domain controller: LDAP server signing requirements: None
– All DCs: Monitor 2887 and 2889 EventsIf all should be good:
– Network security: LDAP client signing requirements: Require
– Domain controller: LDAP server signing requirements: Require
– LDAP Channel Binding = 2<\/p>\n","protected":false},"excerpt":{"rendered":"
2020 LDAP channel binding and LDAP signing requirements for Windows (KB4520412) https:\/\/evotec.xyz\/four-commands-to-help-you-track-down-insecure-ldap-bindings-before-march-2020\/ https:\/\/www.petenetlive.com\/kb\/article\/0001645 https:\/\/techcommunity.microsoft.com\/t5\/core-infrastructure-and-security\/ldap-channel-binding-and-ldap-signing-requirements-march-2020\/ba-p\/921536 If the LdapEnforceChannelBinding key is not present, the server will use the new […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[4152,4151,4154,4155],"class_list":["post-6529","post","type-post","status-publish","format-standard","hentry","category-research","tag-binding","tag-channel","tag-ldap","tag-ldapenfrocechannelbinding"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6529","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=6529"}],"version-history":[{"count":6,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6529\/revisions"}],"predecessor-version":[{"id":8694,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6529\/revisions\/8694"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=6529"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=6529"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=6529"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}