Join Log in
Score:0
404_username_not_found avatar Server

How to secure LDAP Querys from a public system to our DC

sd flag
404_username_not_found

We have a public reachable Debianserver running Nextcloud, where our users should logon with their AD credentials. This server is in a DMZ and hardned as much as possible but I'm a bit worried about the need to allow LDAP Querys from the nextcloud to the DC in our internal network. The account used to make these querys is only used for this, has no special privileges and a long, complex password. Is there anything more I can do to harden this point? I thought about putting a RODC in this DMZ and sync only the needed accounts to this server but i'm not sure if that realy helps (or make it maybe even worse).

162
3 + 0
Score:0
avatar Server
cn flag
Greg Askew

If your concern is about object visibility in queries, Active Directory has List Object Mode which can provide this functionality. This is typically compared with denying access to group(s) of user accounts in a multi-tenant scenario.

https://social.technet.microsoft.com/wiki/contents/articles/29558.active-directory-controlling-object-visibility-list-object-mode.aspx

+ 4
404_username_not_found avatar
sd flag
404_username_not_found
object visibilty is one point but my biggest concern is the inbound rule for LDAP(S) from a potentially compromised system to my DC. So if the Linux server is fully compromised could an attacker use this connection to compromise our AD?
0
Reply
cn flag
Greg Askew
@404_username_not_found: LDAP queries are rarely the source of an incursion for threat actors (assuming there isn't anything stupid like user accounts with SPN's that shouldn't have them). A DC should not be placed in a DMZ for this. That is a physical security issue that doesn't make sense given all they need is access to port tcp/636 and/or tcp/3269 to query an LDAP directory. DMZ's are inherently hostile (they exist primarily to block outgoing access), most organizations where security is a priority this would not pass the operational readiness tests for bringing a DC online.
0
Reply
cn flag
Greg Askew
@404_username_not_found: What some organizations do for this is use "shadow" forests to have copies of the user accounts/attributes. This is common in some Microsoft service scenarios. Some organizations have multiple shadow forests. Those are typically synchronized with production (without security information).
0
Reply
404_username_not_found avatar
sd flag
404_username_not_found
thanks for your comment. This sounds realy interesting!
0
Reply
Score:0
avatar Server
cn flag
natxo asenjo

an RODC is an excellent idea for this. You should also set up firewall access control lists to only allow ldaps connections from the specific ldap client on the remote network.

For the rest, follow your system security best practices for securing internet facing hosts (keep the software up to date, monitor logs, etc etc).

+ 0
Score:-1
avatar Server
mx flag
strongline

Some basics: use LDAPS if you haven't enabled LDAPS yet; Use certificate authenticate if you can; Trust you already know not to use simple bind.

+ 8
vidarlo avatar
ar flag
vidarlo
How does LDAPS and certificate based authentication work in this scenario?
0
Reply
mx flag
strongline
There is no difference how cert based auth works in an internal network, or from DMZ. Make sure 1. port 636 is open; 2. DC and client trust each other's issuing CA; 3. client cert has its SAN defined with UPN; 4. cert is mapped to respective user. Once you have done these, you then don't have to provide userName/password
0
Reply
vidarlo avatar
ar flag
vidarlo
Let me rephrase: how does it improve security?
0
Reply
mx flag
strongline
If I need to explain how LDAPS is more secure than LDAP, or how cert based is more secure than u/p, then I rather not explain. Sorry
0
Reply
vidarlo avatar
ar flag
vidarlo
In the scenario provided I don't see any significant value in TLS. The threat vector is not eavesdropping, but rather someone breaking the machine that runs the client. TLS won't help an iota in this case.
0
Reply
mx flag
strongline
last comment of mine: what you mentioned is legit, but you are making assumption of what OP's concern is; and completely just disregard the risk of eavesdropping.
0
Reply
vidarlo avatar
ar flag
vidarlo
No, I don't make assumtions. I base it on what he writes in his question. He asks for hardening suggestions where he has an externally accessible server that queries internal systems. I don't see how this answers that question.
0
Reply
404_username_not_found avatar
sd flag
404_username_not_found
Correct me if I'm wrong, but I believe eavesdropping is in this case not a big concern, because the DMZ only contains this server and the firewall. If you compromised my Linux machine you can simply use the stored information (certs or PWs) to make querys
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.