[MacTUG] Urgent: Re: An interesting read....
Stephen Markan
smarkan at connect.uwaterloo.ca
Thu Feb 13 12:28:45 EST 2020
Apparently Microsoft has now deferred the mandatory implementation of this so March is not the deadline.
However some testing is required as well. Apple says this is not a concern of things are done in the Apple recommended way. I for one am not certain what that may mean for us!
________________________________
From: Don Duff-McCracken
Sent: February 13, 2020 11:47:11 AM
To: Stephen Markan; Mactug
Subject: Urgent: Re: An interesting read....
Thanks for bringing this up!
Boy it sounds like there are quotation marks around the word 'Interesting' , Stephen! Bernie Rutter mentioned this to me as it came up in WNAG. I am presuming it we do not solve this by March that all Macs that have been bound in the traditional manner will have a huge problem with authenticating to any AD domain which has had the updates applied (ie not just nexus).
There has not been any response to Stephen's email, so I will ask. Is anyone currently doing what seems to be the suggested option or trying it out?
I think this is a Code Red.
------------------------------------
Donald Duff-McCracken
Technical Services Manager
Mapping, Analysis & Design
Faculty of Environment
University of Waterloo
(519) 888-4567 x32151
https://uwaterloo.ca/environment-computing/about/people<https://connect.uwaterloo.ca/owa/14.3.266.1/scripts/premium/redir.aspx?SURL=Ip67Wkr8xENuv0Tp1ZNpOE8gkdDlCkkl2xoE8QopkiVZuIwlNjLTCGgAdAB0AHAAcwA6AC8ALwB1AHcAYQB0AGUAcgBsAG8AbwAuAGMAYQAvAGUAbgB2AGkAcgBvAG4AbQBlAG4AdAAtAGMAbwBtAHAAdQB0AGkAbgBnAC8AYQBiAG8AdQB0AC8AcABlAG8AcABsAGUA&URL=https%3a%2f%2fuwaterloo.ca%2fenvironment-computing%2fabout%2fpeople>
------------------------------------
This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and If you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited. If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately.
________________________________
From: mactug-bounces at lists.uwaterloo.ca <mactug-bounces at lists.uwaterloo.ca> on behalf of Stephen Markan <smarkan at uwaterloo.ca>
Sent: Friday, February 7, 2020 4:07:56 PM
To: Mactug
Subject: [MacTUG] An interesting read....
Belows is a snipper from a conversation on Windows-HIED mailing list:
According to Microsoft Security Advisory ADV190023<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023> the March 2020 security update will enable LDAP channel binding and LDAP signing on Active Directory servers by default. It is unclear from the documentation if this can be undone or postponed. Following guidance in Identifying Clear Text LDAP binds to your DC's<https://docs.microsoft.com/en-us/archive/blogs/russellt/identifying-clear-text-ldap-binds-to-your-dcs> we have found that all of our domain-joined Macs are encrypting but not signing their connections to AD LDAP. Testing so far has found that the only way to resolve this is to enforce SSL using the dsconfigad -packetencrypt ssl command along with importing the trusted root CA for our domain controllers.
Has anyone else looked at this and found alternative solutions? According the Apple support article Configure domain access in Directory Utility on Mac<https://support.apple.com/guide/directory-utility/configure-domain-access-diru11f4f748/mac> it should not be necessary to enforce SSL, but we have not found any alternative settings that work.
FYI we also have found and are investigating remediation for issues with various NetApp NAS devices and Linux machines which are behaving similarly.
Interested in how other organizations are approaching this or if this even on your radar (it wasn’t on ours until last week).
Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.uwaterloo.ca/mailman/private/mactug/attachments/20200213/bd2d003f/attachment.html>
More information about the MacTUG
mailing list