CCE-99890-6Platform: cpe:/o:microsoft:windows_server_2012:- | Date: (C)2023-12-27 (M)2023-12-27 |
This setting determines whether the LDAP server (Domain Controller) enforces
validation of Channel Binding Tokens (CBT) received in LDAP bind requests that are sent over SSL/TLS (i.e. LDAPS).
For more information, see https://support.microsoft.com/help/4034879 .
Some important points:
* Before configuring this setting to "Enabled, always," all clients must have installed the security update described in CVE-2017-8563 (https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8563).
Parameter:
[Never/When Supported/Always]
Technical Mechanism:
(1) GPO: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: LDAP server channel binding token requirements
(2) REG: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters!LdapEnforceChannelBinding
CCSS Severity: | CCSS Metrics: |
CCSS Score : 9.0 | Attack Vector: NETWORK |
Exploit Score: 2.2 | Attack Complexity: HIGH |
Impact Score: 6.0 | Privileges Required: NONE |
Severity: CRITICAL | User Interaction: NONE |
Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H | Scope: CHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:96113 |