Auth-mageddon deferred (but not averted), Microsoft LDAP Changes now slated for Q3Q4 2020

Published: 2020-02-13
Last Updated: 2020-02-13 13:47:49 UTC
by Rob VandenBrink (Version: 1)
3 comment(s)

Good news, sort-of - - Microsoft has deferred their March changes to LDAP, citing the Christmas change freeze that most sensible organizations implement as their reason:

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

(thanks very much to Erik van Straten for this news and link!)

Best advice?  Stick to a remediation plan to migrate your LDAP clients to LDAPS, just know that you have a bit more time to implement.

That being said, what does remediation look like?

First, you'll need a trusted certificate on your Domain Controllers.  While you could certainly buy one from a commercial CA, the easy way to do this is to stand up a Microsoft Certificate Authority in your Active Directory, which will issue DC Certificates automagically.

If there's any question about internal CA's, this command will tell you if you have a CA, and what server it's running on:
    certutil -config - -ping

If you don't have a CA, it's a simple install if the web components aren't installed (no reboot is needed).

Next, you'll need to export the public certificate of your CA, so that your LDAP clients that aren't in AD will know to "trust" any certificates issued by that CA.

To export this from the CA, open "Certificate Authority" on the CA.  Go to the CA Properties, choose the certificate / View Certificate / Details / then choose "Copy to File".  If this is a subordinate CA, you'll want the Certificate Chain instead (in the next tab over, "Certificate Path").  Most clients will want either DER or Base-64 versions of the certificate.  You can also export from the CLI using the command "certutil -ca.cert MyCARootCert.cer"

Then, over on the LDAP client, use the menu or config file for the application that is using LDAP, import this certificate.  Be sure to import it as a Trusted CA.  If  you are unsure at this point, check the documentation on the product you are in to be sure.

On that same client, navigate to the menu or config file that has LDAP configured.  Normally it's as simple as changing the protocol from LDAP to LDAPS, and changing the port from 389 to 636.

Test.  Then test again, in particular with a different userid (that isn't an admin).

Rinse, then repeat for any other LDAP clients in your environment.

===============
Rob VandenBrink
rob@coherentsecurity.com

Keywords: LDAP LDAPS
3 comment(s)
ISC Stormcast For Thursday, February 13th 2020 https://isc.sans.edu/podcastdetail.html?id=6866

Comments

What's this all about ..?

Anonymous

Dec 3rd 2022
9 months ago

password reveal .

Anonymous

Dec 3rd 2022
9 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

Anonymous

Dec 26th 2022
8 months ago

https://thehomestore.com.pk/

Anonymous

Dec 26th 2022
8 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
8 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
8 months ago

https://defineprogramming.com/

Anonymous

Dec 26th 2022
8 months ago

https://defineprogramming.com/

https://defineprogramming.com/

Dec 26th 2022
8 months ago

Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/

https://defineprogramming.com/

Dec 26th 2022
8 months ago

Enter corthrthmment here...

rthrth

Jan 2nd 2023
8 months ago

Login here to join the discussion.


Diary Archives