Detect insecure LDAP bindings before March 2020

[German]A short tip for Windows administrators. Until March 2020 you have to make sure that access to domain controllers is only possible via secure LDAP bindings. Four commands can help identify shaky systems.


I had already mentioned this at Christmas 2019 here in the blog in the article Microsoft enforces secure connections to the Domain Controller from January 2020. But maybe not every administrator has noticed that. In addition, Microsoft has put a spoke in my wheel. The mixed ink I used to print the post on the internet was not yet dry, so Microsoft postponed the date from January to March 2020.

Microsoft has pointed out this fact in ADV190023 (Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing – see my blog post Microsoft Security Advisories Dez. 17, 2019).

In case somebody is still struggling with this, Thorsten Enderlein points out an article in the above tweet that promises four commands for support to detect systems with insecure LDAP bindings. Maybe it helps someone.

Addendum: LDAP Channel Binding

Blog reader Tom B. has sent me a supplement by mail and writes: In my experience, there are some misunderstandings in this regard. Microsoft won’t make any changes to the LDAP settings, only add new events for monitoring and logging and add GPO.


Microsoft has published the Techcommunity article LDAP Channel Binding and LDAP Signing Requirements – March update default behavior, which contains further details. Maybe it helps someone.


This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

2 Responses to Detect insecure LDAP bindings before March 2020

  1. Jason Leidy says:

    Hello, I am glad I follow your posts on a regular basis….I had no idea about the “Secure LDPA Bindings” patch coming in March. I have several sites I follow in relation to Microsoft’s monthly patching, in an effort to avoid surprises. May I ask how you found out about it…I need to add this to my watch list.

    • guenni says:

      I’ve received an e-mail from Microsoft with this notification (I mentioned that within my 1st blog post on Christmas 2019) – but beat me, I don’t know, which mailing list it was (it’s a list, where I got informed about security updates). And I was also notified by some blog readers last year. The current post was initiated by tweet from Thorsten Enderline.

Leave a Reply

Your email address will not be published. Required fields are marked *