Solved

how insecure is it to leave ldap ports open to the world

Posted on 2013-01-30
6
388 Views
Last Modified: 2013-02-19
I have a server 2008 with Exchange and a cheap router that won't allow me enough config settings to pin ldap ports to a range of external ips.

Am I being foolishif I leave ldap open to the world?
Can I leave it open to the world & forward to my email server can I then pin exchange down further behind it ?
0
Comment
Question by:eddiewickens
6 Comments
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Why do you need to expose your AD/LDAP to the outside world?
One option is to setup a PPTP VPN server if you must access it.
Alternative get a better router. Depending on the router you have, an option might be to convert it if available I.e. a linksys, asus, etc. see if your router can run dd-wrt.com.
0
 

Author Comment

by:eddiewickens
Comment Utility
I am trying to set up a permanent sync my ad accounts/passwords with an online anti spam/av solution that has 10 or so servers/ips and I do not have room in my router setup to  allow access from 10 ips - so I have to allow from everyone.

I am trying to find a way not to buy a new router if I don't need to - one way would be to feel I do not have a security risk by leaving it open to all
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
Unless you can use with either a VPN tunnel, or use LDAPS (LDAP over SSL on port 636), do not use the service, otherwise your usernames and passwords with be going across the internet in plain text.

I would also only allow access to LDAP (LDAPS) from specific IP addresses, leaving it open is leaving your AD open, it is a security risk

At bare minimum you could use the Windows firewall to restrict access, but if you do not already use the Windows firewall, this could involve more configuration than replacing the router with a more capable one.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 76

Expert Comment

by:arnold
Comment Utility
A router or a firewall that will be the device between the router and the LAN
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
Really don't see that ldap should be exposed to internet and if need to it is isolated and not to public. It will be inviting more trial and scanning attempts to bring service down like brute force, recon to see what is the internal structure domain, etc. You may want to look at this...

http://unixwiz.net/techtips/security-ldap-ad.html

Minimally there is need for proxy to do the first layer checks where possible...maybe going into LDS or ADAM to restrict but it may not meet your needs. I saw that when contractor need access to end user resource site but didn't want to expose whole ad but only specific to the user application resource needs....can be out of context for your case though
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
I thought I covered the same points in more actual detail, but you awarded the points to somebody else.

Was there something that I missed ?
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Join & Write a Comment

Automapping, a wonderful feature with Exchange 2010 (SP2 onwards I believe), allows additional/Shared mailboxes that a user has access to be automatically mapped on Outlook client, simplifying the process by adding them while Outlook launches. Ho…
Nearly six years ago I was hired by a company to be their senior server engineer. One of my first projects was to implement Exchange Server 2007 on a Windows Server 2008 Single Copy Cluster for high availability. That was the easy part; read on to l…
Familiarize people with the process of utilizing SQL Server stored procedures from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Micr…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now