The Microsoft Windows update due for release on 10 March 2020 will provide new options for administrators to harden the configurations for LDAP channel binding on Active Directory domain controllers.
All Maximo sites that use LDAP to authenticate users against Active Directory should be aware of this change, its immediate impact, and the opportunities it presents to better protect the organisation from man in the middle attacks in the future.
What is changing and why?
LDAP channel binding and LDAP signing provide ways to increase the security for communications between LDAP clients and Active Directory domain controllers. However, some default configurations allow communication without enforcing LDAP channel binding and LDAP signing, leaving systems vulnerable to attack.
Windows updates to be released on March 10, 2020 add the following features to enable hardening :
- New events are logged in the Event Viewer related to LDAP channel binding.
- A new Domain controller: LDAP server channel binding token requirements Group Policy to configure LDAP channel binding on supported devices.
The LDAP signing Domain controller: LDAP server signing requirementspolicy already exists in all supported versions of Windows.
Microsoft’s Security Advisory Notice for the March update stresses that it will not make changes to LDAP signing or LDAP channel binding default policies or their registry equivalent on new or existing Active Directory domain controllers. However, there is speculation that hardened default configurations are likely to be enforced in future updates.
The impact for Maximo
LDAP is a popular authentication option for Maximo, particularly for organisations looking to establish one standard authentication directory for all enterprise applications and enable Single Sign On for users.
Under previous default configurations, some Maximo sites may be sending authentication requests via Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) or LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection.
This means that once the new default configurations are enforced by Microsoft, you can expect any Maximo authentication requests will fail:
- LDAP Clients that do not enable or support signing will not connect
- LDAP Simple Binds over non-TLS connections will not work if LDAP signing is required
- LDAP clients that connect over SSL/TLS, but do not provide a channel binding token, (CBT) will fail if the server requires CBT
- SSL/TLS connections that are terminated by an intermediate server that in turn issues a new connection to an Active Directory Domain Controller, will fail.
Clarita Solutions always recommend that system vulnerabilities and security threats be addressed promptly and comprehensively to protect the organisation, its staff and stakeholders from theft and disruption.
We advise Maximo and system administrators:
- Configure systems to help make LDAP signing on Active Directory Domain Controllers more secure. To secure the traffic, LDAP should be run over port 636 using TLS/SSL, or enforce LDAP signing over SASL on port 389.
- Register for the security notifications mailer to be alerted of content changes to this advisory and be advised if/when the hardened configuration becomes enforceable. See Microsoft Technical Security Notifications.
- If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.
- Find and fix any application compatibility issues in the environment.
- Applications should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server.
- Communications that should be protected include the login mechanism and
related functionality, and any functions where sensitive data can be accessed
or privileged actions can be performed.
See the following Microsoft Knowledge Base articles for guidance on how to enable LDAP channel binding and LDAP signing on Active Directory Domain Controllers:
- 2020 LDAP channel binding and LDAP signing requirement for Windows
- ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
- Frequently asked questions about changes to LDAP
- Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over SSL/TLS more secure
- How to enable LDAP signing in Windows Server 2008