Microsoft AD security advisory ADV190023

In March 2020 Microsoft will release updates related to LDAP connection to Microsoft AD enforcing more secure defaults.
Is something we need to be concerned or be prepared for when using NethServer (remote AD provider, etc.)?


Maybe it could affect NS joined to an AD? I do not really know. I hope @davidep will have time to look into it :wink:

As you said the main concerns are around the “remote AD” accounts provider.

  • If the “remote AD” is also NethServer there is no issue and nothing changes because the LDAP connection is already ciphered (by default).
  • If the “remote AD” is Microsoft there could be issues for those NethServer applications that require LDAP direct access: Nextcloud, Webtop, Roundcube, SOGo, ejabberd…

In the latter case the solution is simple: once the DC has been updated and configured to require LDAP over an encrypted channel, go to Server Manager and fix the accounts provider configuration, to use ldaps:// instead of ldap:// (as alternative, enable TLS).

1 Like

It seems the update for Windows clients (Windows 8.x, 10…) will enable LDAP channel binding and LDAP signing by default through registry key changes.

1 Like