As part of continual security improvement, Microsoft planned to release a set of security updates which included automatic changes to certain security settings, having the potential to make breaking changes to business computers and networks.
The changes were originally planned to be included in the March 2020 monthly Windows updates but were then postponed to later this year. However recently Microsoft advised that the planned automatic security setting changes have been indefinitely postponed and that at this stage they will not apply automatically. Instead, Microsoft have provided advisory information to help organisations implement the new security settings themselves at any time. However, it is very likely that at some point in the future, the changes originally planned for updates in March eventually make their way to a future update, so we are providing this information to enable our customers to make appropriate preparations.
As originally planned, the security updates would have made changes to the default security policies and settings in Windows to make it harder for adversaries to attack business infrastructure. However, they would also potentially cause computers and other network devices to stop being able to access network resources. The updates were planned to automatically make changes to existing security settings which revolve around a feature and protocol called LDAP (“el-dap”), which is used in business network environments that have servers. The changing of the relevant LDAP security settings could potentially cause breaking changes, but the effect on your infrastructure would depend on what infrastructure you have and how it is configured.
Following is an outline of the potential impacts the updates can cause but please note the list is not exhaustive:
– Windows servers that have the security changes configured will stop servicing some requests from other servers and from client computers that have certain security configurations, and computers running old Windows versions from XP through 2008 original (not 2008 R2) that have not had a certain security feature manually enabled.
– Network routers and other network infrastructure such as switches, physical security appliances, UPS etc. can be configured to use LDAP for various features such as authentication, VPN, Internet security and filtering; these devices may stop servicing requests potentially causing VPN or Internet browsing outages, or other service interruptions when relying on servers which use the new security settings.
– Printers, scanners and phone systems can be configured to use LDAP to automatically look up users’ email addresses and phone numbers; these features may stop working after the security changes are applied to Windows.
– If your company uses Linux or UNIX (including Mac) servers which integrate with your Windows domain using LDAP, then the security changes may cause these servers to stop being able to integrate with your Windows servers if they are out of date or use an insecure LDAP configuration.
– Other network infrastructure can be configured to use LDAP for various purposes, which may or may not stop working with Windows servers that have the security settings updated.
To reiterate, whilst the security setting changes can help to improve organisation network security, it is possible that implementing them would cause breaking changes to some business networks. Some applications and devices can be configured to use more secure LDAP configuration which aligns with the new security requirements, but in some cases, devices and applications might not support the uplifted security settings. It may not be possible to update affected software and equipment, and not feasible to replace them. As originally planned by Microsoft, a workaround was required to be implemented to prevent the breaking changes. However, with the automatic changes being withdrawn from the update cycle, it is no longer strictly required to implement the workaround before a planned deadline.
Even though the security setting uplift is no longer planned to be an automatic change at this stage, the settings are already available in Windows and have been for some time (with the exception of the auditing setting, more on that below). It is possible (and recommended) to harden your infrastructure against these LDAP vulnerabilities by updating your infrastructure with existing updates where necessary and configuring the new security settings ahead of time.
To assist managing this change, Microsoft have released new audit logging functionality in the March 2020 Windows updates which can be used to identify which clients, software and devices are be affected by the security setting changes. We suggest updating all domain controller servers to at least Windows Server 2012 and enabling the new logging functionality to help determine how to proceed with preparing for these changes.
Our recommendation is to prepare for these changes by:
- Ensuring that all your infrastructure is up to date with recent updates, and particularly that all Windows Servers are patched with at least March 2020 updates
- Enable the new auditing and logging options to record when network computers and devices attempt to use insecure LDAP configuration, this will enable you to determine the devices and applications impacted by the upcoming updates
- Check the relevant policy settings and ensure that they are at least set for correctly for interim (optional) support
- Review audit logs to determine which devices and applications will be impacted, and analyse whether it will be feasible to update or reconfigure them all to support the required security changes
- Develop a plan to update or replace devices and systems which are using the old insecure configuration
- Either update infrastructure configuration so that it forces the new security settings if possible, or if not possible then implement the workaround to pre-emptively disable the new security settings
- Review infrastructure configuration and audit logs to ensure that your environment is compliant with the new security settings and therefore won’t be impacted by the updates when they are released
Although there is no current or imminent risk, some businesses may still choose to update their systems. If you would like guidance and assistance with managing these changes, enabling auditing to help prepare, or any other issues relating to the update, please
We understand how important having the highest level of security is to you and your business, and we want to do all we can to ensure a smooth changeover for those that choose to acquire the new update.