{"id":12798,"date":"2020-01-27T00:01:00","date_gmt":"2020-01-26T23:01:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=12798"},"modified":"2020-01-29T17:26:57","modified_gmt":"2020-01-29T16:26:57","slug":"unsichere-ldap-bindungen-vor-mrz-2020-ermitteln","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/01\/27\/unsichere-ldap-bindungen-vor-mrz-2020-ermitteln\/","title":{"rendered":"Detect insecure LDAP bindings before March 2020"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" src=\"http:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2013\/03\/winb.jpg\" width=\"58\" height=\"58\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/?p=227438\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]A short tip for Windows administrators. Until March 2020 you have to make sure that access to domain controllers is only possible via secure LDAP bindings. Four commands can help identify shaky systems.<\/p>\n<p><!--more--><\/p>\n<p>I had already mentioned this at Christmas 2019 here in the blog in the article <a href=\"https:\/\/borncity.com\/win\/2019\/12\/25\/microsoft-enforces-secure-connections-to-the-domain-controller-from-january-2020\/\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft enforces secure connections to the Domain Controller from January 2020<\/a>. But maybe not every administrator has noticed that. In addition, Microsoft has put a spoke in my wheel. The mixed ink I used to print the post on the internet was not yet dry, so Microsoft postponed the date from January to March 2020.<\/p>\n<p>Microsoft has pointed out this fact in <a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/ADV190023\" target=\"_blank\" rel=\"noopener noreferrer\">ADV190023<\/a> (Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing &#8211; see my blog post <a href=\"https:\/\/borncity.com\/win\/2019\/12\/24\/microsoft-security-advisories-17-dez-2019\/\">Microsoft Security Advisories Dez. 17, 2019<\/a>).<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">Four commands to help you track down insecure LDAP Bindings before !!!! March 2020 &#8211; Evotec <a href=\"https:\/\/t.co\/KJrThXscvU\">https:\/\/t.co\/KJrThXscvU<\/a><\/p>\n<p>\u2014 Thorsten Enderlein (@endi24) <a href=\"https:\/\/twitter.com\/endi24\/status\/1220727216469876739?ref_src=twsrc%5Etfw\">January 24, 2020<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>In case somebody is still struggling with this, Thorsten Enderlein points out an article in the above tweet that promises four commands for support to detect systems with insecure LDAP bindings. Maybe it helps someone.<\/p>\n<h2>Addendum: <span class=\"lia-message-unread\">LDAP Channel Binding<\/span><\/h2>\n<p>Blog reader Tom B. has sent me a supplement by mail and writes: <em>In my experience, there are some misunderstandings in this regard. Microsoft won't make any changes to the LDAP settings, only add new events for monitoring and logging and add GPO.<\/em><\/p>\n<p>Microsoft has published the Techcommunity article <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/core-infrastructure-and-security\/ldap-channel-binding-and-ldap-signing-requirements-march-update\/ba-p\/921536\" target=\"_blank\" rel=\"noopener noreferrer\">LDAP Channel Binding and LDAP Signing\u00a0Requirements \u2013 March update default behavior<\/a>, which contains further details. Maybe it helps someone.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]A short tip for Windows administrators. Until March 2020 you have to make sure that access to domain controllers is only possible via secure LDAP bindings. Four commands can help identify shaky systems.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[69,194],"class_list":["post-12798","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12798","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=12798"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12798\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=12798"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=12798"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=12798"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}