For more information, see [Unlicensed admins](/mem/intune/fundamentals/unlicensed-admins). |
-
### Update rings for Windows 10 or later
Your "Update rings for Windows 10 or later" policy in Intune must not target any Windows Autopatch devices.
From 7c4080a7a54d7a8f7d77fb86bbb5e859dd26eaaa Mon Sep 17 00:00:00 2001
From: Harman Thind <63820404+hathin@users.noreply.github.com>
Date: Thu, 27 Apr 2023 15:37:22 -0700
Subject: [PATCH 2/6] removed unlicensed admin from enroll tenant docs
@tiaraquan FYI on this change, no longer need this check in the assessment. Good to stage ASAP
---
.../windows-autopatch/prepare/windows-autopatch-enroll-tenant.md | 1 -
1 file changed, 1 deletion(-)
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
index 7e202554d2..4ca771cece 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
@@ -52,7 +52,6 @@ The following are the Microsoft Intune settings:
| Check | Description |
| ----- | ----- |
| Deployment rings for Windows 10 or later | Verifies that Intune's deployment rings for Windows 10 or later policy doesn't target all users or all devices. Policies of this type shouldn't target any Windows Autopatch devices. For more information, see [Configure deployment rings for Windows 10 and later in Intune](/mem/intune/protect/windows-10-update-rings). |
-| Unlicensed admin | Verifies that this setting is enabled to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. For more information, see [Unlicensed admins in Microsoft Intune](/mem/intune/fundamentals/unlicensed-admins). |
### Azure Active Directory settings
From cd0e07b04672a24808d75cda3b4e077560062718 Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Fri, 28 Apr 2023 12:03:58 -0400
Subject: [PATCH 3/6] Add LDAP server channel binding token requirements
---
.../security-policy-settings/TOC.yml | 20 +++--
...rver-channel-binding-token-requirements.md | 90 +++++++++++++++++++
2 files changed, 101 insertions(+), 9 deletions(-)
create mode 100644 windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md
diff --git a/windows/security/threat-protection/security-policy-settings/TOC.yml b/windows/security/threat-protection/security-policy-settings/TOC.yml
index 1e4b1fa586..df9030461f 100644
--- a/windows/security/threat-protection/security-policy-settings/TOC.yml
+++ b/windows/security/threat-protection/security-policy-settings/TOC.yml
@@ -1,22 +1,22 @@
- name: Security policy settings
href: security-policy-settings.md
- items:
+ items:
- name: Administer security policy settings
href: administer-security-policy-settings.md
- items:
+ items:
- name: Network List Manager policies
href: network-list-manager-policies.md
- name: Configure security policy settings
href: how-to-configure-security-policy-settings.md
- name: Security policy settings reference
href: security-policy-settings-reference.md
- items:
+ items:
- name: Account Policies
href: account-policies.md
- items:
+ items:
- name: Password Policy
href: password-policy.md
- items:
+ items:
- name: Enforce password history
href: enforce-password-history.md
- name: Maximum password age
@@ -31,7 +31,7 @@
href: store-passwords-using-reversible-encryption.md
- name: Account Lockout Policy
href: account-lockout-policy.md
- items:
+ items:
- name: Account lockout duration
href: account-lockout-duration.md
- name: Account lockout threshold
@@ -40,7 +40,7 @@
href: reset-account-lockout-counter-after.md
- name: Kerberos Policy
href: kerberos-policy.md
- items:
+ items:
- name: Enforce user logon restrictions
href: enforce-user-logon-restrictions.md
- name: Maximum lifetime for service ticket
@@ -55,7 +55,7 @@
href: audit-policy.md
- name: Security Options
href: security-options.md
- items:
+ items:
- name: "Accounts: Administrator account status"
href: accounts-administrator-account-status.md
- name: "Accounts: Block Microsoft accounts"
@@ -92,6 +92,8 @@
href: devices-restrict-floppy-access-to-locally-logged-on-user-only.md
- name: "Domain controller: Allow server operators to schedule tasks"
href: domain-controller-allow-server-operators-to-schedule-tasks.md
+ - name: "Domain controller: LDAP server channel binding token requirements"
+ href: domain-controller-ldap-server-channel-binding-token-requirements.md
- name: "Domain controller: LDAP server signing requirements"
href: domain-controller-ldap-server-signing-requirements.md
- name: "Domain controller: Refuse machine account password changes"
@@ -250,7 +252,7 @@
href: secpol-advanced-security-audit-policy-settings.md
- name: User Rights Assignment
href: user-rights-assignment.md
- items:
+ items:
- name: Access Credential Manager as a trusted caller
href: access-credential-manager-as-a-trusted-caller.md
- name: Access this computer from the network
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md
new file mode 100644
index 0000000000..f76a21b998
--- /dev/null
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md
@@ -0,0 +1,90 @@
+---
+title: Domain controller LDAP server channel binding token requirements
+description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server channel binding token requirements security policy setting.
+ms.reviewer:
+ms.author: waynmc
+ms.prod: windows-client
+ms.localizationpriority: medium
+author: waynmc-msft
+manager: rizhang
+ms.topic: conceptual
+ms.date: 04/26/2023
+ms.technology: itpro-security
+---
+
+# Domain controller: LDAP server channel binding token requirements
+
+**Applies to**:
+
+- Windows Server
+
+This article describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server channel binding token requirements** security policy setting.
+
+## Reference
+
+This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate channel bindings (EPA).
+
+Unsigned/Unprotected network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the example of an LDAP server, a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower this risk in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks difficult.
+
+- If channel binding is set to Always, LDAP clients who don't support channel bindings will be rejected.
+- If channel binding is set to when supported, only incorrect channel bindings will be blocked, and clients who don't support channel binding can continue to connect via LDAP over TLS.
+
+CBT or EPA is used with TLS sessions when a SASL authentication method is used to authenticate the user. SASL means you use NTLM or Kerberos for user authentication. Ldap Simple Bind over TLS doesn't offer channel binding token protection and is therefore not recommended.
+
+### Possible values
+
+- Never: No channel binding validation is performed. This is the behavior of all servers that haven't been updated.
+- When Supported: Clients that advertise support for Channel Binding Tokens must provide the correct token when authenticating over TLS/SSL connections; clients that don't advertise such support and/or don't use TLS/SSL connections aren't impacted. This is an intermediate option that allows for application compatibility.
+- Always: All clients must provide channel binding information over LDAPS. The server rejects LDAPS authentication requests from clients that don't do so.
+
+### Best practices
+
+We recommend that you set **Domain controller: LDAP server channel binding token requirements** to **Always**. Clients that don't support LDAP channel binding will be unable to execute LDAP queries against the domain controllers.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy's property page.
+
+| Server type or GPO | Default value |
+|--------------------------------------------|---------------|
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Not defined |
+| DC Effective Default Settings | None |
+| Member Server Effective Default Settings | None |
+| Client Computer Effective Default Settings | None |
+
+## Policy management
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
+
+## Security considerations
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Unsigned/Unprotected network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Regarding LDAP servers, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks difficult.
+
+### Countermeasure
+
+Configure the **Domain controller: LDAP server channel binding token requirements** setting to **Always**.
+
+### Potential impact
+
+Client devices that don't support LDAP channel binding can't run LDAP queries against the domain controllers.
+
+## Related articles
+
+- [Security Options](security-options.md)
+- [LDAP session security settings and requirements after ADV190023 is installed](/troubleshoot/windows-server/identity/ldap-session-security-settings-requirements-adv190023)
+- [2020 LDAP channel binding and LDAP signing requirements for Windows (KB4520412)](https://support.microsoft.com/topic/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a)
+- [KB4034879: Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over SSL/TLS more secure](https://support.microsoft.com/topic/kb4034879-use-the-ldapenforcechannelbinding-registry-entry-to-make-ldap-authentication-over-ssl-tls-more-secure-e9ecfa27-5e57-8519-6ba3-d2c06b21812e)
From aafa955ae41aa5ff01d145aaea42f9b1d2af9b0f Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Fri, 28 Apr 2023 12:09:59 -0400
Subject: [PATCH 4/6] update metadata
---
...roller-ldap-server-channel-binding-token-requirements.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md
index f76a21b998..8328477019 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md
@@ -1,12 +1,12 @@
---
title: Domain controller LDAP server channel binding token requirements
description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server channel binding token requirements security policy setting.
-ms.reviewer:
+ms.reviewer: waynmc
ms.author: waynmc
ms.prod: windows-client
ms.localizationpriority: medium
-author: waynmc-msft
-manager: rizhang
+author: vinaypamnani-msft
+manager: aaroncz
ms.topic: conceptual
ms.date: 04/26/2023
ms.technology: itpro-security
From 28ae62ccd6e65ab34ded23138f3fc90d2a94bbbc Mon Sep 17 00:00:00 2001
From: Angela Fleischmann