|LDAP channel binding and LDAP signing provide ways to increase the security of network communications between an Active Directory Domain Services (AD DS) or an Active Directory Lightweight Directory Services (AD LDS) and its clients. There is a vulnerability in the default configuration for Lightweight Directory Access Protocol (LDAP) channel binding and LDAP signing and may expose Active directory domain controllers to elevation of privilege vulnerabilities. Microsoft Security Advisory ADV190023 address the issue by recommending the administrators enable LDAP channel binding and LDAP signing on Active Directory Domain Controllers. This hardening must be done manually until the release of the security update that will enable these settings by default.
|What is Xerox Doing About This?
|Xerox is working closely with development teams currently assessing possible impacts of the Microsoft security update.
|What Should You Do?
|Microsoft strongly advise administrators to enable LDAP channel binding and LDAP signing between now and March 2020 to find and fix any operating systems, applications or intermediate device compatibility issues in their environment. If any compatibility issue is found, administrators will need to contact the manufacturer of that particular OS, application or device for support.
NOTE: Any OS version, application and intermediate device that performs a man-in-the-middle inspection of LDAP traffic are most likely to be impacted by this hardening change.