Service Update
| Availability | January 23rd, 2020 |
| Product(s) | Email Security Cloud Gateway (CG) |
| Who's affected | Email Security Cloud Gateway (CG), Administrators |
Update 26th February 2020:
Microsoft updated their guidance on 4th February 2020 to state:
The March 2020 updates do not make changes to LDAP signing or channel binding policies or their registry equivalent on new or existing domain controllers.
A further future monthly update, anticipated for release the second half of calendar year 2020, will enable LDAP signing and channel binding on domain controllers configured with default values for those settings.
Update 3rd June 2020:
ADV190023 states on new or existing domain controllers:
-
The March 10 update (and updates in the foreseeable future), will not modify or harden the LDAP signing
Or - LDAP channel binding policies (or their registry equivalent)
However, Mimecast strongly recommends configuring channel binding and signing, to allow customers to address this vulnerability.
This advice means that the March 2020 date no longer applies but in all other respects the guidance provided below remains valid and should be completed as soon as possible. Directory Synchronization over an unencrypted connection will cease to function during the second half of 2020 and we will update this article with any further guidance as we learn more.
Microsoft has communicated that in March 2020, a security update will automatically configure Active Directory Servers to require channel binding and Lightweight Directory Access Protocol (LDAP) signing by default. This is to resolve a vulnerability in the default LDAP connection process.
We are communicating this Microsoft change because customers using unencrypted Directory Synchronization connections between Mimecast and on-premises Active Directory services will experience synchronization failures after the update has been applied.
Status
Although the precise timing has not been confirmed by Microsoft, we expect this update to be released on Tuesday March 10, 2020.
Who's affected
All Mimecast customers that synchronize their on-premises Active Directory with their Mimecast account over an unencrypted connection (typically using port 389 or 3268).
What's changing
The Microsoft communication states the current default settings of LDAP may expose Active Directory Domain Controllers to elevation of privilege vulnerabilities. Microsoft will therefore be hardening the default LDAP settings by automatically enabling “LDAP channel binding” and “LDAP signing”.
If this hardening is applied without first configuring encryption on your Directory Connectors then your service will be impacted as follows:
- Depending on your recipient validation setting, inbound mail to new users may be rejected.
- Users will no longer be able to authenticate with their Domain password.
- Disabled users will no longer be automatically disabled on your Mimecast account.
- New users will no longer be automatically added to your Mimecast account.
- Attribute values will no longer synchronize.
Directory Synchronization via the Mimecast Synchronization Engine (MSE) will not be affected.
Recommended actions
Mimecast strongly recommends the use of an encrypted LDAPS connection using port 636 or 3269 for Directory Synchronization.
To avoid negative effects arising from the Microsoft update we recommend you take the following actions:
- Please check if you have an unencrypted Directory Connector configured on your Mimecast account. For supporting documentation, see LDAP Sync for Active Directory.
- If “Encrypt Connection” is not enabled, we recommend you update your Directory Connector to an encrypted version as documented at LDAP for Active Directory. This article also holds a link to a supporting Microsoft article. You may also find this Microsoft article useful.
If you can’t upgrade your Directory Connector to use encryption and you have rolled-out the Microsoft update you can override the new defaults by setting the LDAPServerintegrity registry entry to a value of “1”. You can read more about manual configuration in this Microsoft article.
If you require more detailed guidance regarding Domain Controllers and Windows Server configurations we advise you to contact Microsoft.
Further Support
We hope that this communication gives you sufficient information to prepare for the Microsoft update. If you have any questions, comments or concerns, please don't hesitate to contact Mimecast Service Delivery, or your Customer Success Manager.
Comments
Please sign in to leave a comment.