Extended Protection for LDAP Authentication (Domain Controllers only)
Configures the LdapEnforceChannelBinding registry value to increase protection against "man-in-the-middle" attack.
For more information, see https://support.microsoft.com/help/4034879 . Some important points:
* Before configuring this setting to "Enabled, always," all clients must have installed the security update described in CVE-2017-8563 (https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8563).
* See additional support requirements for Windows Server 2008 in linked pages.
Supported on: Windows Server 2008 and newer
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | System\CurrentControlSet\Services\NTDS\Parameters |
| Value Name | LdapEnforceChannelBinding |
| Value Type | REG_DWORD |
| Enabled Value | 1 |
| Disabled Value | 0 |
Configure LdapEnforceChannelBinding
- Enabled, always (recommended)
Registry Hive HKEY_LOCAL_MACHINE Registry Path System\CurrentControlSet\Services\NTDS\Parameters Value Name LdapEnforceChannelBinding Value Type REG_DWORD Value 2 - Enabled, when supported
Registry Hive HKEY_LOCAL_MACHINE Registry Path System\CurrentControlSet\Services\NTDS\Parameters Value Name LdapEnforceChannelBinding Value Type REG_DWORD Value 1 - Disabled
Registry Hive HKEY_LOCAL_MACHINE Registry Path System\CurrentControlSet\Services\NTDS\Parameters Value Name LdapEnforceChannelBinding Value Type REG_DWORD Value 0
secguide.admx
- LAPS
- MSS (Legacy)
- MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)
- MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments)
- MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
- MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)
- MSS: (DisableSavePassword) Prevent the dial-up passsword from being saved (recommended)
- MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)
- MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
- MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)
- MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds
- MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.
- MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
- MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames
- MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)
- MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
- MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
- MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)
- MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged
- MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
- MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
- MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
- MS Security Guide
- Apply UAC restrictions to local accounts on network logons
- Block Flash activation in Office documents
- Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2)
- Configure SMB v1 client driver
- Configure SMB v1 server
- Enable Structured Exception Handling Overwrite Protection (SEHOP)
- Extended Protection for LDAP Authentication (Domain Controllers only)
- LSA Protection
- Lsass.exe audit mode
- Remove "Run As Different User" from context menus
- Turn on Windows Defender protection against Potentially Unwanted Applications (DEPRECATED)
- WDigest Authentication (disabling may require KB2871997)
- SCM: Pass the Hash Mitigations
- Wi-Fi Sense