Hello, welcome to the Friday, February 14th, 2020 edition of the Sansonet Storms and a Stormcast.

My name is Johannes Ulrich.

And then I'm recording from Jacksonville, Florida.

When it comes to network traffic these days, most of it, of course, is encrypted and the big leader here tends to be HTTP, harder to actually find a website these days that does not support HTTP.

But aside from HTTP, there are a number of other protocols that could benefit from TLS, and one of these protocols is LDAB.

So mid-last year, Microsoft did publish some guidance

where they recommended that you should use L-DabS,

essentially L-DAP over TLS or L-DAP signing,

and another L-DAP feature referred to as channel binding.

And of course, given that Microsoft an active directory does rely on LDAP,

this is a substantial improvement in security and does prevent a number of real attacks.

So Microsoft was going to go ahead and make LDAB as the default behavior starting in March

with the March Patch Tuesday update.

But, well, deploying TLS, deploying it correctly isn't all that straightforward.

You first need certificates and all of that good stuff.

So a number of Microsoft customers complained about this deadline and Microsoft earlier in February moved away from the March deadline and now states that they will introduce this new default behavior sometime second half of the year. Of course, the problem with

any deadline that's a few months out is, well, it sounds far enough that you're probably going

to get surprised again. And if sometime in September or October, this new default behavior

will be released by Microsoft.

Well, to get you ready for it, we do have two diaries today by Rob about how to check which systems your network do use LDAB versus LDAB S and how to script some of the

configuration options.

So he made public a number of pretty neat PowerShell scripts that should you help tackle this

...