As part of its July 2017 Patch Tuesday rollout of security updates, Microsoft is providing a new registry setting to allow administrators to make LDAP authentication more secure over SSL/TLS.
The registry setting is called: LdapEnforceChannelBinding
Its located at: HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/NTDS/Parameters
DWORD value: 0 indicates disabled. No channel binding validation is performed. This is the behavior of all servers that have not been updated.
DWORD value: 1 indicates enabled, when supported. All clients that are running on a version of Windows that has been updated to support channel binding tokens (CBT) must provide channel binding information to the server. Clients that are running a version of Windows that has not been updated to support CBT do not have to do so. This is an intermediate option that allows for application compatibility.
DWORD value: 2 indicates enabled, always. All clients must provide channel binding information. The server rejects authentication requests from clients that do not do so.
Associated KB article: KB4034879
Security Advisory: CVE-2017-8563
Looking for an awesome, no-nonsense technical conference for IT Pros, Developers, and DevOps? IT/Dev Connections kicks off in San Francisco in 2017!