• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 86
  • Last Modified:

Should I allow LDAPS connectivity to our internal DC

Hi
I'm a network engineer with my company, but not a security expert. To enable new functionality of 1 of our record systems, which is hosted, the software vendor wants us to allow LDAPS connectivity to our internal domain controller. My gut tells me we shouldnt do this.  What are the pros and cons of allowing this traffic? What  would the worst case scenario be? If we were to allow it what would the best practice be?

Thanks in advance!!
John
0
johncolfer
Asked:
johncolfer
  • 2
1 Solution
 
Joshua HopkinsPresidentCommented:
You could setup a read-only dc within a DMZ and then within your firewall only allow the IP(s) that would need to authenticate to it access from your WAN.
0
 
johncolferSecurity ConsultantAuthor Commented:
I thought of that, but the App needs to be able to write to the DC. The new functionality is called "Apply Online" and allows applicants create a username and password so they can save and resume their application. So I guess a read only DC will not work in this instance.
0
 
Joshua HopkinsPresidentCommented:
I would suggest that you then setup a new domain in a DMZ. Then create a trust between your internal AD and the new one. You could also look at federated services as an option.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now