@irj said in RegKey needed in order to fix Patch Tuesday LDAP Vulnerability (CVE-2017-8563):

This is also very important information to highlight:

Note Before you enable this setting on a Domain Controller, clients must install the security update that is described in CVE-2017-8563. Otherwise, compatibility issues may arise, and LDAP authentication requests over SSL/TLS that previously worked may no longer work. By default, this setting is disabled.

To maximize compatibility with older operating system versions (Windows 7 and earlier versions), we recommend that you enable this setting with a value of 1.

To explicitly disable the setting, set the LdapEnforceChannelBinding entry to 0 (zero).

My questions: After installing the security update on Domain Controllers and creating the LdapEnforceChannelBinding registry, do clients have to install the security update if the LdapEnforceChannelBinding registry value DWORD on the DCs were set to 1 (enabled, when supported)? Or only if it was set to value 2 (enabled, always)? I didn't know if clients needed the security update no matter what the DWORD value was set to after creating the LdapEnforceChannelBinding reg key...

@scottalanmiller

Thanks!

@irj

Hello IRJ! The main thing I am getting at is if you patch the DCs and create the LdapEnforceChannelBinding registry key on the DCs, will things break in the environment if the clients haven't installed the patch yet?

@irj

Hey everyone thanks for the input. It looks like we may just deploy the patch everywhere, wait until a majority of the clients install the patch, then create the registry key on the DCs. Also, since the reg change does not require a reboot you can switch values on the fly with ease.

@irj

Hey everyone thanks for the input. It looks like we may just deploy the patch everywhere, wait until a majority of the clients install the patch, then create the registry key on the DCs. Also, since the reg change does not require a reboot you can switch values on the fly with ease.

@dashrender

If clients require the patch first before installing on the DC and making the registry change it should be more clear. https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry states that "Before you enable this setting on a Domain Controller, clients must install the security update that is described in CVE-2017-8563. Otherwise, compatibility issues may arise, and LDAP authentication requests over SSL/TLS that previously worked may no longer work. By default, this setting is disabled."

Then it states that "To maximize compatibility with older operating system versions (Windows Server 2008 and earlier versions), we recommend that you enable this setting with a value of 1. See Microsoft Security Advisory 973811 for more details."

I was thinking, if you set the DWORD to value of 1 then clients may not need the patch right away.

@irj

Hello IRJ! The main thing I am getting at is if you patch the DCs and create the LdapEnforceChannelBinding registry key on the DCs, will things break in the environment if the clients haven't installed the patch yet?

@scottalanmiller

Thanks!

@irj said in RegKey needed in order to fix Patch Tuesday LDAP Vulnerability (CVE-2017-8563):

This is also very important information to highlight:

Note Before you enable this setting on a Domain Controller, clients must install the security update that is described in CVE-2017-8563. Otherwise, compatibility issues may arise, and LDAP authentication requests over SSL/TLS that previously worked may no longer work. By default, this setting is disabled.

To maximize compatibility with older operating system versions (Windows 7 and earlier versions), we recommend that you enable this setting with a value of 1.

To explicitly disable the setting, set the LdapEnforceChannelBinding entry to 0 (zero).

My questions: After installing the security update on Domain Controllers and creating the LdapEnforceChannelBinding registry, do clients have to install the security update if the LdapEnforceChannelBinding registry value DWORD on the DCs were set to 1 (enabled, when supported)? Or only if it was set to value 2 (enabled, always)? I didn't know if clients needed the security update no matter what the DWORD value was set to after creating the LdapEnforceChannelBinding reg key...