Solved

Secure LDAP

Posted on 2016-08-22
8
29 Views
Last Modified: 2016-09-11
we have our Active Directory installed on windows 2012 r2 domain controllers. we have a vendor visiting us to install his product and has given us a list of prerequisite that should be ready before he starts the deployment. one of the requirements is

* AD configured to use LDAPs

do I need to do any changes in my active directory to support secure LDAP

or by default it supports this
0
Comment
Question by:Aamer-
  • 4
  • 3
8 Comments
 
LVL 12

Assisted Solution

by:Benjamin Voglar
Benjamin Voglar earned 100 total points (awarded by participants)
Comment Utility
0
 
LVL 61

Assisted Solution

by:btan
btan earned 400 total points (awarded by participants)
Comment Utility
Vendor should be referring to LDAP over SSL (LDAPS) - which is to make LDAP traffic secure. I believe they will want to make sure the SSL certificate is setuo and during their administration access making LDAPS call and checks, it will be secured as a baseline hardening - no plaintext during the transaction. AD already supports LDAPS, you just need to get the SSL ready and provisioned - for info if you are using a 3rd party issued SSL cert @ http://windowsitpro.com/active-directory/how-use-ldap-over-ssl-lock-down-ad-traffic
0
 

Author Comment

by:Aamer-
Comment Utility
we are using a private PKI. is there any configuration I need to do on my domain controllers to support LDAPs
0
 

Author Comment

by:Aamer-
Comment Utility
my AD is being used by many services. and there is only one application that requires LDAPs. if I configure my domain controllers for LDAPs will it not effect all the other services and clients.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 61

Assisted Solution

by:btan
btan earned 400 total points (awarded by participants)
Comment Utility
Yes it will be to all service doing LDAPS. For e.g. LDAPS communication occurs over port TCP 636. LDAPS communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged.
0
 

Author Comment

by:Aamer-
Comment Utility
To configure LDAPS, I think all I need to do in install certificates on all the domain controllers. my only question is once I configure LDAPs will clients and services that still use LDAP work as before or it is like a complete switch from ldap to ldaps. I have a subordinate enterprise CA in the domain and i can issue certificates to the domain controllers. will it effect services that are using LDAP. will it affect windows clients, exchange servers etc ect.
0
 
LVL 61

Accepted Solution

by:
btan earned 400 total points (awarded by participants)
Comment Utility
Really depends on your client machine and applications as they can still do LDAP sonce DC does not enforce it unless you have firewall blocking 636.
But do note if the DC enable only LDAP signing then client machine do not use LDAPS or signing will fail to connect


If you configure this policy as None, the server will not require data signatures but will provide them if requested by the client. “Require signature” means the domain controller will only bind with clients that negotiate LDAP data-signing OR are using TLS/SSL
https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Domain-Controller-LDAP-server-signing-requirements
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
As guided and advised in the scope and things to watch out for in setup.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now