Extended Protection for LDAP Authentication (Domain Controllers only)

Information

Configures the LdapEnforceChannelBinding registry value to increase protection against 'man-in-the-middle' attack.
For more information, see https://support.microsoft.com/help/4034879 . Some important points:
* Before configuring this setting to 'Enabled, always,' all clients must have installed the security update described in CVE-2017-8563 (https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8563).
* See additional support requirements for Windows Server 2008 in linked pages.

Solution

Policy Path: MS Security Guide
Policy Setting Name: Extended Protection for LDAP Authentication (Domain Controllers only)

See Also

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-sept2019update-for-windows-10-v1903-and/ba-p/890940

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Windows

Control ID: b27e238dfcf9d17ded3266c830c04d3615e7091db55708312271774f34f4852e