Thursday, 27 February 2020

What is ADV190023 and how does it affect NetApp CIFS Configuration?

ADV190023 essentially relates to two security settings changing via a March (?) 2020 Windows update.

As per this post:


If we don’t want to wait for the March 2020 update:

1) Enable LdapEnforceChannelBinding = 1 (must have CVE-2017-8563)
2) Enable LDAP Server Signing 
DCs = policy "Domain controller: LDAP server signing requirements" = Require Signing
Servers/Clients = policy "Network security: LDAP client signing requirements = Require Signing


Question: How does this affect the standard NetApp CIFS configuration?

The answer is not much.

1) All LdapEnforceChannelBinding = 1 means is best described by this post:


- DWORD value: 0 indicates disabled. No channel binding validation is performed. This is the behavior of all servers that have not been updated.
- DWORD value: 1 indicates enabled, when supported. All clients that are running on a version of Windows that has been updated to support channel binding tokens (CBT) must provide channel binding information to the server. Clients that are running a version of Windows that has not been updated to support CBT do not have to do so. This is an intermediate option that allows for application compatibility.
- DWORD value: 2 indicates enabled, always. All clients must provide channel binding information. The server rejects authentication requests from clients that do not do so.


ONTAP currently does not support LDAP Channel Binding - see:
- so, nothing to do here (as above “DWORD value: 1 indicates enabled, when supported.”)

2) Enable LDAP Server Signing: DCs = policy "Domain controller: LDAP server signing requirements" = Require Signing
All that’s required is:


cifs security modify -vserver SVMNAME -session-security-for-ad-ldap sign


LDAP connectivity will now utilize LDAP signing, no other changes are required.

Image: Enabling Client Session Security

Further Reading

Questions about NetApp impact related to released LDAP signing and channel binding security advisories published Microsoft:

NetApp customer facing KB:

Related Microsoft URLs:

Also see:
“What about ONTAP and LDAPS?
How do we do (configure) it?
- Change the port in the ldap config to port 636.
- Make sure -use-start-tls is turned to false
- And the enterprise root cert is installed into ONTAP.”

NetApp CIFS Server and LDAPS for Active Directory with port 636

When you set -use-ldaps-for-ad-ldap true - for example:


cluster1::> cifs security modify -vserver SVM1 -use-ldaps-for-ad-ldap true


- it is setting the communication to use port 636 as per the man page description:


[-use-ldaps-for-ad-ldap {true|false}] - Use LDAPS for Secure Active Directory LDAP Connections
This parameter specifies whether to use LDAPS over AD LDAP connections. When enabled, the communication between the Data ONTAP LDAP Client and the LDAP Server will be encrypted using LDAPS and port 636 will be used. LDAPS is a mechanism to provide secure communication by using the TLS/SSL protocols and port 636. If you do not specify this parameter, the default is false.


No comments:

Post a Comment