On Tuesday November 8, 2011 Microsoft released a Security Bulletin addressing an issue with Active Directory.

The problem is the LDAP over SSL (aka LDAPS) implementation in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS) does not examine Certificate Revocation Lists (CRLs). This allows remote authenticated users to bypass intended certificate restrictions and access Active Directory resources by leveraging a revoked X.509 certificate for a domain account.

By default, LDAP over SSL is not used in Windows Server. To make it work you will need to have your Domain Controllers enrolled for a special certificate (with Server Authentication OID: 1.3.6.1.5.5.7.3.1) from a trusted Certificate Authority. This reduces the impact of this vulnerability significantly.

However, you might have enabled it to allow some (poorly written) application(s) or user(s) to access authentication information (using LDAP) in a secure way (using SSL encryption) or to get rid of Event ID 1220 on your Domain Controller(s).

Guidance

This update is currently applicable to Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2.

If you’ve enabled LDAP over SSL you are urged to test and implement the update corresponding to the Security Bulletin.

If the application, user or functionality requiring LDAP (over SSL) is no longer of vital importance in your environment, disabling LDAP (over SSL) is a known work-around.

More information

Microsoft Security Bulletin MS11-086 – Important – Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837)  
MS11-086: Vulnerability in Active Directory could allow elevation of privilege: November 8, 2011