Forum Discussion
Securing ldap in WIndows AD
Hello everyone.
I would like to secure the use of LDAP within an Active Directory domain.
My domain has three Windows 2022 DCs.
Searching online, I found these suggestions:
Enforce LDAPS (LDAP over SSL/TLS)
Disable Plain-text LDAP Bindings
Block or Restrict Port 389 (Optional but Recommended)
Enable Channel Binding Tokens (CBT)
Does it make sense to only allow certain users to browse LDAP?
Could limiting LDAP browsing to certain users cause problems?
Thanks
1 Reply
The following are classified as hardening the AD environment.
- Enforce LDAPS (LDAP over SSL/TLS)
Disable Plain-text LDAP Bindings
Block or Restrict Port 389 (Optional but Recommended)
Enable Channel Binding Tokens (CBT)
LDAPS would need Certificates.
All these require extensive testing as they break a lot of legacy apps and authentication.
Restricting 389 is a risky option for things like
- Domain joins
GPO processing
Computer authentication
which has to be done by signing..about
Does it make sense to only allow certain users to browse LDAP?
Could limiting LDAP browsing to certain users cause problems?- LDAP/LDAPS -> does user bind irrespective, it is how you manage the AD inventory by blocking ACLs for the users ability to read, this has it's risks if not done properly.
it's better to spin up a lab to test the scenarios...
- Enforce LDAPS (LDAP over SSL/TLS)
