The fact is that unencrypted Active Directory (AD) services could be used to spy on computers and exploit vulnerabilities discovered in an unencrypted AD service to attack corporate networks. This could lead to eavesdropping and interception of communications between computers and their users, which in turn would constitute a critical attack on corporate resources.
To address this issue and prevent attackers from gaining unauthorized access to corporate data in this way, Microsoft will significantly improve the security of Windows AD with a security update with the identifier ADV 190023. The update will make communication between the company AD and external web applications possible only in encrypted form via Transport Layer Security (TLS), thus preventing future successful attacks and protecting the AD.

The currently existing vulnerability in the Active Directory Domain Controller LDAP protocol that Microsoft will fix with this security update can be manually bypassed. Microsoft recommends that you change some settings that are described in the following links to the Microsoft support pages:

Die zurzeit existierende Sicherheitslücke im Active Directory Domain Controller LDAP-Protokoll, die Microsoft durch das Sicherheitsupdate beheben wird, kann auf manuellem Wege umgangen werden. Microsoft empfiehlt dazu die Änderung einiger Einstellungen, die unter den folgenden Links zu den Microsoft Supportseiten beschrieben sind:

portal.msrc.microsoft.com

support.microsoft.com

According to the description of the ADV190023, there will be a first update from Microsoft in March 2020, which will include new audit events, additional logging and changes to Group Policy. In a future update, scheduled for the second half of 2020, the new settings will then be activated. The activation will therefore only take place at that time and not yet with the March update, in which only the settings will be made at first.

These changes caused by the update may affect applications that use the LDAP protocol to access Active Directory domain controllers after activation. In our windream ECM-system, this especially concerns the adjustment of users and groups via the windream System Center (WSC) or via the windream Ma-nagement Console (WMC, the former name for the windream administration application).
Due to the expected effects, our development department has tested the recommended settings. No problems with accessing Active Directory Do-main Controllers could be detected. As soon as the security patch announced for March 2020 is available, we will carry out the tests again to make sure that there are no negative effects on the operation of the windream ECM-system. The same procedure will be followed as soon as the second update is released, which has been announced by Microsoft for the second half of 2020.
Finally, we would like to point out that the modules which are responsible for accessing Active Directory Domain Controllers via LDAP already include setting options for authentication, SASL-binding as well as SSL, if they should be required.

Back