NTS INFO Microsoft LDAP MOVES LDAPS
Dear Customers and Partners,
Lightweight Directory Access Protocol (LDAP) is a network protocol for the realization of queries and revisions in a distributed directory service. Microsoft Active Directory represents the best-known and most common LDAP implementation.
To allow for a faultless function of the LDAP protocol, it is essential that all involved systems are able to exchange data via Port 389 respectively, in case of LDAPS (LDAP over TLS), via Port 636.
For the second half of 2020, Microsoft is currently preparing a security update for their domain controllers that will switch the Active Directory service from LDAP to LDAPS. This will mark the end of unencrypted LDAP connections. Thereby it is the aim to fight vulnerabilities in the implementation of the Active Directory service. This helps for example, to be protected against so called “man-in-the-middle” attacks. During these attacks, an invader could potentially gain access to your systems.
Entirely in line with our motto “Relax, We Care”, we would like to proactively inform you now about this planned update. Furthermore, we will assist you during the inspection and switch of your systems in order to ensure unrestricted operations.
Below are examples of systems and services from the portfolio of NTS that are affected:
- Unified communications services and products such as Cisco Jabber, Cisco Expressway, Cisco Meeting Server, Cisco Unified Communications Manager, Cisco Callmanager, NTW Server, Fax Server, Unity Server
- Security services and products that are linked to the Active Directory via LDAP such as Cisco Identity Service Engine (ISE), Cisco e-mail and Web Security Appliance (ESA, WSA)
- Firewalls and services with a direct link to the Active Directory for user inquiries such as Cisco Adaptive Security Appliance (ASA), Cisco Firepower, Cisco Anyconnect
- VMWare VCenter with link into the Active Directory
At this point it needs to be mentioned that all applications and systems that have not switched to LDAPS at the time of the patch, will not be able to establish a connection into the Active Directory via LDAP. This may lead to restrictions in the availability of your applications that depend on the connection to the Active Directory.
Therefore, NTS strongly recommends determining all applications and systems that are concerned. Furthermore, NTS proposes to switch from LDAP to LDAPS ahead of the release of the patch in the second half of 2020.
In addition, to the security update, Microsoft released in March a new update that implements additional audit events and group guidelines. This update makes sure that an optimal preparation takes place and it will implement the possibility to override the change of the patch via registry entry respectively as per group guideline as an alternative in case a switch to LDAPS is not possible.
In a nutshell, NTS recommends the following steps to ensure that all applications will be able to communicate with the Active Directory even after the patch:
- Activation and logging of all audit events from the March 2020 update on the domain controllers in order to recognize unencrypted connections as well as to be able to identify the involved systems.
- Activation of “LDAP channel binding” as well as “LDAP signing” on all devices that use a Windows OS in conjunction with NTS considering the adaptations on the systems that are supervised by NTS.
- Monitoring and hyper care phase
Should you have any questions or require assistance, then do not hesitate to contact us 24/7/365 as usual on firstname.lastname@example.org respectively on +43 316 405455-20.
Relax, We Care