Best posts made by JSecurity2017

@irj said in RegKey needed in order to fix Patch Tuesday LDAP Vulnerability (CVE-2017-8563):

This is also very important information to highlight:

Note Before you enable this setting on a Domain Controller, clients must install the security update that is described in CVE-2017-8563. Otherwise, compatibility issues may arise, and LDAP authentication requests over SSL/TLS that previously worked may no longer work. By default, this setting is disabled.

To maximize compatibility with older operating system versions (Windows 7 and earlier versions), we recommend that you enable this setting with a value of 1.

To explicitly disable the setting, set the LdapEnforceChannelBinding entry to 0 (zero).

My questions: After installing the security update on Domain Controllers and creating the LdapEnforceChannelBinding registry, do clients have to install the security update if the LdapEnforceChannelBinding registry value DWORD on the DCs were set to 1 (enabled, when supported)? Or only if it was set to value 2 (enabled, always)? I didn't know if clients needed the security update no matter what the DWORD value was set to after creating the LdapEnforceChannelBinding reg key...

@scottalanmiller

Thanks!

@irj

Hello IRJ! The main thing I am getting at is if you patch the DCs and create the LdapEnforceChannelBinding registry key on the DCs, will things break in the environment if the clients haven't installed the patch yet?

@irj

Hey everyone thanks for the input. It looks like we may just deploy the patch everywhere, wait until a majority of the clients install the patch, then create the registry key on the DCs. Also, since the reg change does not require a reboot you can switch values on the fly with ease.