how insecure is it to leave ldap ports open to the world
I have a server 2008 with Exchange and a cheap router that won't allow me enough config settings to pin ldap ports to a range of external ips.
Am I being foolishif I leave ldap open to the world?
Can I leave it open to the world & forward to my email server can I then pin exchange down further behind it ?
Am I being foolishif I leave ldap open to the world?
Can I leave it open to the world & forward to my email server can I then pin exchange down further behind it ?
ASKER
I am trying to set up a permanent sync my ad accounts/passwords with an online anti spam/av solution that has 10 or so servers/ips and I do not have room in my router setup to allow access from 10 ips - so I have to allow from everyone.
I am trying to find a way not to buy a new router if I don't need to - one way would be to feel I do not have a security risk by leaving it open to all
I am trying to find a way not to buy a new router if I don't need to - one way would be to feel I do not have a security risk by leaving it open to all
Unless you can use with either a VPN tunnel, or use LDAPS (LDAP over SSL on port 636), do not use the service, otherwise your usernames and passwords with be going across the internet in plain text.
I would also only allow access to LDAP (LDAPS) from specific IP addresses, leaving it open is leaving your AD open, it is a security risk
At bare minimum you could use the Windows firewall to restrict access, but if you do not already use the Windows firewall, this could involve more configuration than replacing the router with a more capable one.
I would also only allow access to LDAP (LDAPS) from specific IP addresses, leaving it open is leaving your AD open, it is a security risk
At bare minimum you could use the Windows firewall to restrict access, but if you do not already use the Windows firewall, this could involve more configuration than replacing the router with a more capable one.
A router or a firewall that will be the device between the router and the LAN
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I thought I covered the same points in more actual detail, but you awarded the points to somebody else.
Was there something that I missed ?
Was there something that I missed ?
One option is to setup a PPTP VPN server if you must access it.
Alternative get a better router. Depending on the router you have, an option might be to convert it if available I.e. a linksys, asus, etc. see if your router can run dd-wrt.com.