Create Windows LDAP Firewall Rule

I'd like to secure LDAP a bit better but it's difficult on Windows servers. What I'm thinking is that I could create a Windows Firewall rule to allow the connection if it's secure.

Since I'm not 100% sure where LDAP is used I'm wondering if creating such a rule would be self defeating. That is to say will the rule make it impossible to establish a secure connection because of the way it's configured or is this safe?
LVL 21
Russ SuterAsked:
Who is Participating?
Michael MachieFull-time technical multi-taskerCommented:
You should never need to create such a rule because when anything queries AD using the LDAP protocol no response will be generated without appropriate Domain Admin credentials being supplied from the requesting App. Only Domain Admins accounts can query LDAP, not local accounts or non-admin Domain Users, so the risk of a security breach goes only as far as how secure your Domain Admin credentials are.

Where and how is LDAP used? LDAP would be used to allow an App or device to authenticate a User against your Domain's Active Directory, or to reference any AD accounts for authenticated use.

Example1: My Anti Virus Server software uses LDAP for me to authenticate into the program using my Domain credentials. I could log in with a locally created User on the system, but using my Domain credentials is easier.

Example2:  My Cisco UC phone system. We populate a User's desk phone extension in their Active Directory User object, then use the LDAP utility in my UC Server to query Active Directory to pull in any new Users and their specified desk extensions. This keeps me from needing manually create a User in UC, then configure that User's desk phone extension. I instead build the AD account and at the same time specify their desk phone - query AD from the UC system and voila! That User and desk extension number are populated in Cisco UC.  

Example3: Some Multi-Function Printers use LDAP to query AD when a User logs into the MFP to perform scans. I have set them up so that a brand new User, with no scan templates or buttons for their own name, can walk up to the machine, input their AD credentials, and the MFP will authenticate them for use via LDAP query to AD. Then, since their Home Folder is specified in AD, they can choose 'Scan' and the scan will automatically drop into the AD specified Home Folder. No additional work involved.

Example4: HID tags can be added to AD. If the HID system uses LDAP and is configured, you can specify the User's HID tag in AD and you won't ever need to enter the HID system directly to set up a User - just add their HID tag number into their AD User object and that is it!
Russ SuterAuthor Commented:
Good info. Thanks. That pretty much covers things for me.
Michael MachieFull-time technical multi-taskerCommented:
Glad to help.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.