Please share the following information with your teams.
Microsoft has acknowledged there is a known vulnerability which could allow a man-in-the-middle attacker to successfully forward an authentication request to a Microsoft domain server which has not been configured to require channel binding, signing, or sealing on incoming connections.
UIT teams will follow recommendations from Microsoft to close this vulnerability by enforcing LDAPS for communications with the central Active Directory domain controllers.
We are advising our Faculty IT partners that we plan to complete this change on December 24th at 9:00am.
This change will impact services that are currently configured to communicate via the unsecure LDAP protocol with the central Active Directory domain controllers.
Domain-joined servers and workstations will not be impacted with this change and will continue to auth over secure protocols. Note however, we are not in a position to offer service and support for OS platforms that have gone end of life – e.g. Windows XP, Windows 7, Server 2008, etc. For additional information on EOL systems that are at risk, please go to Microsoft Lifecycle Policy | Microsoft Docs.
UIT Client Services at email@example.com or 416 736 5800