Detect insecure LDAP bindings before March 2020

[German]A short tip for Windows administrators. Until March 2020 you have to make sure that access to domain controllers is only possible via secure LDAP bindings. Four commands can help identify shaky systems.

I had already mentioned this at Christmas 2019 here in the blog in the article Microsoft enforces secure connections to the Domain Controller from January 2020. But maybe not every administrator has noticed that. In addition, Microsoft has put a spoke in my wheel. The mixed ink I used to print the post on the internet was not yet dry, so Microsoft postponed the date from January to March 2020.

Microsoft has pointed out this fact in ADV190023 (Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing – see my blog post Microsoft Security Advisories Dez. 17, 2019).

Four commands to help you track down insecure LDAP Bindings before !!!! March 2020 – Evotec https://t.co/KJrThXscvU

— Thorsten Enderlein (@endi24) January 24, 2020

In case somebody is still struggling with this, Thorsten Enderlein points out an article in the above tweet that promises four commands for support to detect systems with insecure LDAP bindings. Maybe it helps someone.

Addendum: LDAP Channel Binding

Blog reader Tom B. has sent me a supplement by mail and writes: In my experience, there are some misunderstandings in this regard. Microsoft won't make any changes to the LDAP settings, only add new events for monitoring and logging and add GPO.

Microsoft has published the Techcommunity article LDAP Channel Binding and LDAP Signing Requirements – March update default behavior, which contains further details. Maybe it helps someone.