Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

how insecure is it to leave ldap ports open to the world

Posted on 2013-01-30
6
Medium Priority
?
430 Views
Last Modified: 2013-02-19
I have a server 2008 with Exchange and a cheap router that won't allow me enough config settings to pin ldap ports to a range of external ips.

Am I being foolishif I leave ldap open to the world?
Can I leave it open to the world & forward to my email server can I then pin exchange down further behind it ?
0
Comment
Question by:eddiewickens
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 79

Expert Comment

by:arnold
ID: 38838160
Why do you need to expose your AD/LDAP to the outside world?
One option is to setup a PPTP VPN server if you must access it.
Alternative get a better router. Depending on the router you have, an option might be to convert it if available I.e. a linksys, asus, etc. see if your router can run dd-wrt.com.
0
 

Author Comment

by:eddiewickens
ID: 38838923
I am trying to set up a permanent sync my ad accounts/passwords with an online anti spam/av solution that has 10 or so servers/ips and I do not have room in my router setup to  allow access from 10 ips - so I have to allow from everyone.

I am trying to find a way not to buy a new router if I don't need to - one way would be to feel I do not have a security risk by leaving it open to all
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38838952
Unless you can use with either a VPN tunnel, or use LDAPS (LDAP over SSL on port 636), do not use the service, otherwise your usernames and passwords with be going across the internet in plain text.

I would also only allow access to LDAP (LDAPS) from specific IP addresses, leaving it open is leaving your AD open, it is a security risk

At bare minimum you could use the Windows firewall to restrict access, but if you do not already use the Windows firewall, this could involve more configuration than replacing the router with a more capable one.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 79

Expert Comment

by:arnold
ID: 38839259
A router or a firewall that will be the device between the router and the LAN
0
 
LVL 64

Accepted Solution

by:
btan earned 1500 total points
ID: 38839665
Really don't see that ldap should be exposed to internet and if need to it is isolated and not to public. It will be inviting more trial and scanning attempts to bring service down like brute force, recon to see what is the internal structure domain, etc. You may want to look at this...

http://unixwiz.net/techtips/security-ldap-ad.html

Minimally there is need for proxy to do the first layer checks where possible...maybe going into LDS or ADAM to restrict but it may not meet your needs. I saw that when contractor need access to end user resource site but didn't want to expose whole ad but only specific to the user application resource needs....can be out of context for your case though
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38906824
I thought I covered the same points in more actual detail, but you awarded the points to somebody else.

Was there something that I missed ?
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question