Create Windows LDAP Firewall Rule

I'd like to secure LDAP a bit better but it's difficult on Windows servers. What I'm thinking is that I could create a Windows Firewall rule to allow the connection if it's secure.

Since I'm not 100% sure where LDAP is used I'm wondering if creating such a rule would be self defeating. That is to say will the rule make it impossible to establish a secure connection because of the way it's configured or is this safe?
LVL 22
Russ SuterAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michael MachieIT SupervisorCommented:
You should never need to create such a rule because when anything queries AD using the LDAP protocol no response will be generated without appropriate Domain Admin credentials being supplied from the requesting App. Only Domain Admins accounts can query LDAP, not local accounts or non-admin Domain Users, so the risk of a security breach goes only as far as how secure your Domain Admin credentials are.

Where and how is LDAP used? LDAP would be used to allow an App or device to authenticate a User against your Domain's Active Directory, or to reference any AD accounts for authenticated use.

Example1: My Anti Virus Server software uses LDAP for me to authenticate into the program using my Domain credentials. I could log in with a locally created User on the system, but using my Domain credentials is easier.

Example2:  My Cisco UC phone system. We populate a User's desk phone extension in their Active Directory User object, then use the LDAP utility in my UC Server to query Active Directory to pull in any new Users and their specified desk extensions. This keeps me from needing manually create a User in UC, then configure that User's desk phone extension. I instead build the AD account and at the same time specify their desk phone - query AD from the UC system and voila! That User and desk extension number are populated in Cisco UC.  

Example3: Some Multi-Function Printers use LDAP to query AD when a User logs into the MFP to perform scans. I have set them up so that a brand new User, with no scan templates or buttons for their own name, can walk up to the machine, input their AD credentials, and the MFP will authenticate them for use via LDAP query to AD. Then, since their Home Folder is specified in AD, they can choose 'Scan' and the scan will automatically drop into the AD specified Home Folder. No additional work involved.

Example4: HID tags can be added to AD. If the HID system uses LDAP and is configured, you can specify the User's HID tag in AD and you won't ever need to enter the HID system directly to set up a User - just add their HID tag number into their AD User object and that is it!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Russ SuterAuthor Commented:
Good info. Thanks. That pretty much covers things for me.
Michael MachieIT SupervisorCommented:
Glad to help.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.