Detections
Analytics
18.3.6 (L1) Ensure 'Extended Protection for LDAP Authentication (Domain Controllers only)' is set to 'Enabled: Enabled, always (recommended)' (DC Only)
Information
This setting determines whether the LDAP server (Domain Controller) enforces validation of Channel Binding Tokens (CBT) received in LDAP bind requests that are sent over SSL/TLS (i.e. LDAPS).The recommended state for this setting is: Enabled: Enabled, always (recommended)
Note: All LDAP clients must have the
CVC-2017-8563
security update to be compatible with Domain Controllers that have this setting enabled. More information on this setting is available at:
MSKB 4034879: Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over SSL-TLS more secure
Note #2: In March 2020, Microsoft added a new GPO setting named
Domain controller: LDAP server channel binding token requirements
which was bundled with that month's Windows security patches. This new 'native' setting configures the exact same LdapEnforceChannelBinding registry value and does not depend on an ADMX template. Therefore it should be considered a 'superseding' method of achieving the same results. However, since Extended Support ended on January 14, 2020 for Windows Server 2008 (non-R2) and Windows Server 2008 R2, and they are no longer receiving security patches (unless hosted on Azure or under a paid support contract), they typically do not have the March 2020 (or later) patch readily available. If this is the case in your environment, this ADMX-based setting should be used with those OSes instead of the new native setting.
Requiring Channel Binding Tokens (CBT) can prevent an attacker who is able to capture users' authentication credentials (e.g. OAuth tokens, session identifiers, etc.) from reusing those credentials in another TLS session. This also helps to increase protection against 'man-in-the-middle' attacks using LDAP authentication over SSL/TLS (LDAPS).
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled: Enabled, always (recommended) :Computer Configuration\Policies\Administrative Templates\MS Security Guide\Extended Protection for LDAP Authentication (Domain Controllers only)
Note: This Group Policy path does not exist by default. An additional Group Policy template ( SecGuide.admx/adml ) is required - it is available from Microsoft at
this link
.
Impact:
All LDAP clients must provide channel binding information over SSL/TLS (i.e. LDAPS). The LDAP server (Domain Controller) rejects authentication requests from clients that do not do so. Clients must have the
CVC-2017-8563
security update to support this feature, and may have compatibility issues with this setting without the security update. This may also mean that LDAP authentication requests over SSL/TLS that previously worked may stop working until the security update is installed.
When first deploying this setting, you may initially want to only set it to the alternate setting of Enabled: Enabled, when supported (instead of Enabled: Enabled, always (recommended) ) on all Domain Controllers. This alternate, interim setting enables support for LDAP client channel binding but does not
require
it. Then set one DC that is not currently being targeted by LDAP clients to Enabled: Enabled, always (recommended) and test each of the critical LDAP clients against that DC (and remediating as necessary), before deploying Enabled: Enabled, always (recommended) to the rest of the DCs.
More information on this setting is available at:
MSKB 4034879: Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over SSL-TLS more secure
Older OSes such as Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 (non-R2), will first require patches for
Microsoft Security Advisory 973811
, as well as all associated fixes, in order to be compatible with domain controllers that have this setting deployed.
Note: Only Enabled: Enabled, always (recommended) is actually considered compliant to the CIS benchmark.
See Also
Item Details
Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY
References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), 800-53|SI-16, CSCv7|8.3
Plugin: Windows
Control ID: 1345980b79b2a1a4cdb1e612315e58f8156afb46dfee342126fa9163c18e986c