Securely Connecting to Active Directory

In an effort to increase security of the UNL network and user credentials, UNL will change the required communication protocols for Active Directory and deprecate NTLMv1 and unencrypted plain-text LDAP.

The ITS Security Team and Systems teams will contact server administrators that have used the insecure protocols and work to remediate. See the following presentation for more information on the NTLM vulnerabilities.

Common Remediation Techniques

NTLMv1 Remediation

  • Linux Hosts mounting Windows fileshares, switch from SMB to CIFS, and set the proper security settings
    sec=ntlmv2 or sec=ntlmv2i
    More information is available in the Samba docs
  • Windows Machines Joined to AD
    • Server 2003

      Start, Administrative Tools, Local Security Policy
      Go to Local Policies/Security Options
      Set “Network security: LAN Manager authentication level” to Send NTLMv2 response only

    • XP
    • Newer versions of Windows are not affected
  • Canon Copier/Scanners
    The Canon imageRUNNER multifunction devices will no longer be able to save scanned documents to a network file share. Users will still be able to scan documents and send to an email address, and this is the recommended workflow for non-confidential data. Documents containing confidential data should not be scanned and sent via email. The recommended practice is to use a secure scanner attached to the computer where the confidential information is stored or use an alternative secure method. For examples of confidential data, see the data security guidelines.
    If you have a need to scan confidential data to a Network share, please contact your local departmental IT support personnel, or Dave Hadenfeldt in Print, Copy, & Mail & Distribution Services for alternative devices which meet the newer security requirements.
  • Fujitsu iScanner 
    1. Select the [System Settings] tab on the top menu.
    2. Select the [LAN Manager authentication level] tab on the left side menu. The "LAN Manager authentication level" screen appears.
    3. Enter a number from 3 to 5 for the LAN Manager authentication level.
    4. Press the [OK] button.
      More information about the Fujitsu iScanner devices
  • Mac OS X, versions 10.5 and above
    • 10.9 uses Kerberos
    • Other versions can force NTLMv2 by placing the following in /etc/samba.conf
      [default]
minauth=ntlmv2​

Unencrypted LDAP Remediation

The LDAP protocol uses two possible ports, 389 and 636. Encrypted LDAP communication uses port 636. How each device/system/application is configured to communicate using SSL/TLS varies based on the software. Here are some recommendations for configuring your software to communicate securely.

  • Mac OS 10.9 and 10.10 use Kerberos by default and should not need to be updated.
  • Older versions of Mac OS X may need to be configured to communicate securely.
    To require signed connections, issue the following command:
    /usr/sbin/dsconfigad -packetencrypt ssl