none
Patching for CVE-2017-8563

    Question

  • Microsoft states after you install the patch needed for CVE-2017-8563 on domain controllers that you need to also create a registry key (LdapEnforceChannelBinding) on your DCs. My question is, do clients need to install the related KB for this CVE as well in order for things not to break? Or do clients only need the KB installed if you set the DWORD to value 2 for enabled,always? "Before you enable this setting on a Domain Controller, clients must install the security update that is described in  CVE-2017-8563. Otherwise, compatibility issues may arise, and LDAP authentication requests over SSL/TLS that previously worked may no longer work. By default, this setting is disabled."

    This is the article I am referring to: https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry 

    Path: HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/NTDS/Parameters
    Key: LdapEnforceChannelBinding
    •DWORD value: 0 indicates disabled. No channel binding validation is performed. This is the behavior of all servers that have not been updated.
    •DWORD value: 1 indicates enabled, when supported. All clients that are running on a version of Windows that has been updated to support channel binding tokens (CBT) must provide channel binding information to the server. Clients that are running a version of Windows that has not been updated to support CBT do not have to do so. This is an intermediate option that allows for application compatibility.
    •DWORD value: 2 indicates enabled, always. All clients must provide channel binding information. The server rejects authentication requests from clients that do not do so.

    "Before you enable this setting on a Domain Controller, clients must install the security update that is described in  CVE-2017-8563. Otherwise, compatibility issues may arise, and LDAP authentication requests over SSL/TLS that previously worked may no longer work. By default, this setting is disabled."

    Thursday, July 13, 2017 3:42 PM

All replies

  • Hello,

    If the OS is Windows Server 2016 or Windows 10, the Update in KB or Security Update is the same thing.

    If not, there are usually Monthly Rollup and Security Only. Security Only update is part of Monthly Rollup. If you have already installed Security Only update, you don't need to install Monthly Rollup update introduced in KB.

    Best regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 14, 2017 6:12 AM
  • Hello,

    Is it safe to configure LdapEnforceChannelBinding to 1 without installing this update on clients (will be updated later)?

    Friday, July 14, 2017 7:35 AM
  • Hello,

    You must install the security update first, and then configure the LdapEnforceChannelBinding. Otherwise, compatibility issues may arise, and LDAP authentication requests over SSL/TLS that previously worked may no longer work. 

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by MyFrozenEyes Friday, July 14, 2017 7:51 AM
    Friday, July 14, 2017 7:43 AM