Extended Protection for LDAP Authentication (Domain Controllers only)

Information

Configures the LdapEnforceChannelBinding registry value to increase protection against 'man-in-the-middle' attack.
For more information, see https://support.microsoft.com/help/4034879 . Some important points:
* Before configuring this setting to 'Enabled, always,' all clients must have installed the security update described in CVE-2017-8563 (https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8563).
* See additional support requirements for Windows Server 2008 in linked pages.

Solution

Policy Path: MS Security Guide
Policy Setting Name: Extended Protection for LDAP Authentication (Domain Controllers only)

See Also

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1909-and-windows-server/ba-p/1023093

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Windows

Control ID: 9d91a6beb052c7964f76813b54fd1ffb5605ca40ce3e9e85eca5863f8dce53e8