According to a Microsoft article, Microsoft intends to release a security update on Windows Update to add options for administrators to harden the configurations for LDAP channel binding on Active Directory domain controllers. This update is anticipated to be available in March 2020.
If administrators make the hardening changes, Microsoft Active Directory server will reject LDAP simple binds.
The following products using Microsoft Windows LDAP service will be affected by the said update:
- InterScan Messaging Security Virtual Appliance (IMSVA) 9.1
- InterScan Messaging Security Suite (IMSS) 9.1 Linux
- InterScan Messaging Security Suite (IMSS) 7.5 Windows
Below are the details of the impact:
- All IMSVA and IMSS versions support LDAP simple bind. If LDAP simple bind is configured on IMSVA or IMSS, after the hardening changes, LDAP related features will stop working.
- IMSVA 9.1 and IMSS 9.1 Linux users can mitigate the issue by following this Trend Micro article to enable encrypted communication between InterScan Messaging Security and LDAP server.
- IMSS 7.5 Windows only supports LDAP simple bind. If IMSS 7.5 Windows users need to continue using LDAP related features, they need to manually disable the LDAP channel binding and LDAP signing hardening changes made by the update.
IMSVA 9.1, IMSS 9.1 Linux, and IMSS 7.5 Windows using Domino LDAP and Open LDAP will not be impacted.
We strongly advise administrators to enable LDAP channel binding and LDAP signing between now and March 2020 to find and fix IMSVA and IMSS compatibility issues. If any compatibility issue is found, administrators will need to contact Trend Micro for support.