Impact of LDAP channel binding- and LDAP signing-related Windows updates on Control Compliance Suite

book

Article ID: 184196

calendar_today

Updated On:

Products

Control Compliance Suite Windows

Resolution

Microsoft plans to release a security update to enable LDAP channel binding and LDAP signing hardening changes. This article explains how this Microsoft update does not have any impact on your Control Compliance Suite deployment.Microsoft plans to release a security update to enable LDAP channel binding and LDAP signing hardening changes. This article explains how this Microsoft update does not have any impact on your Control Compliance Suite deployment.

What is happening?

The Microsoft advisory, which is published on the Microsoft security guidance portal, informs you about the upcoming Windows March 2020 updates. After you install these optional updates, a new set of default configurations for LDAP channel binding and LDAP signing on Active Directory Domain Controllers will supersede the older configuration and harden LDAP channel binding and LDAP signing.

What is the impact on Control Compliance Suite?

Broadcom does not expect any impact of the Microsoft update for LDAP channel binding and LDAP signing on any Control Compliance Suite functionality.
However, you must not disable the LDAP access on port 389 because the Control Compliance Suite deployment requires this port to communicate with the Windows LDAP server. This communication is required for several reasons including (but not limited to) the following:
•    User authentication and user authorization (role-based access control)
•    Building domain cache during compliance scans
•    Several configuration-related operations in the ADAM configuration store
If you disable the port 389 or disallow it through firewall, this communication cannot be established. Broadcom does not have any alternative way to establish this communication because Broadcom does not support LDAPS in Control Compliance Suite yet. So, if you disable port 389, several Control Compliance Suite operations get affected.
Broadcom intends to provide LDAPS support in Control Compliance Suite. This article will be updated with more information soon. Until then, for any queries, contact Broadcom Technical Support.