To give context, at all the orgs I've worked at there's been tools doing insecure LDAP - e.g. VPN appliances, photocopiers etc.
Prikaži ovu nit
Big change coming to Windows Server this March - insecure LDAP requests will be rejected by default. That's a change in behaviour which will absolutely break things in some orgs How to get in front of the issue:https://opensecurity.global/forums/topic/249-preventing-ldap-apocalypse-in-march-2020-ldap-signing-requirements/ …
-
-
-
Depending on your MS stack maturity, Azure Sentinel has a built in dashboard which shows unencrypted LDAP. It's also visible in MS Advanced Threat Analytics (thank you
@MrYiff).https://twitter.com/GossiTheDog/status/1132636334772776962?s=20 …
Prikaži ovu nit -
New - the LDAP changes in Windows are being delayed to a future date (second half of 2020), and there will be registry values you can set in advance to disable those changes.https://opensecurity.global/forums/topic/249-preventing-ldap-apocalypse-in-march-2020-ldap-signing-requirements/?do=findComment&comment=1154 …
Prikaži ovu nit -
Microsoft might want to go back and amend the various support articles as there's multiple conflicting bits of information now, eg https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows …pic.twitter.com/KnqHUrBma0
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
-
-
MS is actively advising folks to wait for an updated KB. I mean, folks should still get going on this but it seems odd considering we're 6 weeks away from March Patch Tuesday. Any insight into that recommendation? Source:https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-march-update/ba-p/921536/page/3#comments …
-
I’ve no idea who that is, but ignore them - you need to take action yesterday.
- Još 15 drugih odgovora
Novi razgovor -
-
-
Oof, this is gonna hurt a lot of custom apps. Written a few myself.... LDAPS / LDAP over TLS wasn't working, already wasted half a day troubleshooting that? Eh, just do plain LDAP, it's behind an encrypted VPN tunnel anyways.
-
Yeah it will break a bunch of stuff, I’ve got stuff at Crabbers written using this and pretty much everybody left in infrastructure there so yoloooooo
Kraj razgovora
Novi razgovor -
-
-
could have sworn it was originally going to be January for the cut off... which is what I told Ops. Which is explains why we are ahead for once...
-
It was pushed back.
- Još 1 odgovor
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.