| Author | Messages | |
listmail
Posts:496
 | | 03/28/2008 1:24 PM |
| Doesn't stop auth attacks. But I agree on the info disclosure lockdown
stuff, just people don't do that because either they don't know how to do it
or they are scared to do it. People are far less likely to screw up syncing
say email addresses (which is usually all these email spam appliances need)
to an ADAM or OpenLDAP store in the DMZ than trying to protect systems they
don't really understand.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Friday, March 28, 2008 1:16 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAP security
Nothing more than any generic machine/user on the network can compromise
with read access to AD. ACL the attributes or put it in a HR database
somewhere or something if it's that sensitive.
--brian
On Fri, Mar 28, 2008 at 1:13 PM, joe <listmail@joeware.net> wrote:
I was thinking about a compromised appliance. Or compromised anything
actually, that is always my concern with punching holes to the production
AD. What can be disclosed? What can be attacked?
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Friday, March 28, 2008 12:54 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAP security
If the firewall rules are locked down to only permit ldap queries from the
appliance then i don't really see the value unless the appliance would
generate enough load to warrant dedicated hardware.
On Fri, Mar 28, 2008 at 12:49 PM, joe <listmail@joeware.net> wrote:
I wasn't visualizing doing that, I was visualizing syncing the data needed
to ADAM and letting it stand alone. If you allow the passthrough or you do
proxy the lockout concern is still there.
Hmm that makes me think about some new features for ADAM proxy accounts that
could be useful...
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Friday, March 28, 2008 12:38 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAP security
How does adam protect you from lockouts if you're doing pass through or
userProxy auth?
--brian
On Fri, Mar 28, 2008 at 12:32 PM, joe <listmail@joeware.net> wrote:
The main security benefits of using a separate ADAM instance would be that
you don't expose your entire directory or user IDs. You could just push the
info you need in the DMZ to the ADAM instance. That way if something
compromised the machine doing the LDAP queries, they wouldn't be able to
enumerate the entire domain/forest, just the info in ADAM (though depending
on the company that could be bad enough...). You also protect IDs from DOS
attacks and hacking attempts. I.E. I know one very small company who punched
a 389 hole into their enviornment and the IT Director said it was perfectly
safe and didn't see a need for additional expenses since the data in the
directory wasn't THAT important.... I asked if it would be ok if I showed
him a little of why it was that important... He said yes so I locked his
account out for a few hours for him. He then listened to his IT security
folks a little closer.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Friday, March 28, 2008 12:19 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAP security
AFAIK WSS v2 doesn't support it. Yes it's a good option - just figure out if
the cost/overhead of implementing it outweighs just poking a few holes in
the firewall.
--brian
On Fri, Mar 28, 2008 at 11:40 AM, Ramon Linan <Ramon.Linan@gst.com> wrote:
Actually, I was thinking on implementing ADAM, for this application
(sonicwall mail security) and for WSSv2 and v3, would you advice to do that?
I mean is that also a good option for a public WSS ?
thanks
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Friday, March 28, 2008 10:01 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAP security
Short of an ADAM instance in the DMZ and a sync solution?
I'd just poke 636 open and give it a read-only ID and be done with it...
--brian
On Thu, Mar 27, 2008 at 6:15 PM, Ramon Linan <Ramon.Linan@gst.com> wrote:
Hi,
I have an antispam solution that sits in a public IP.
This solutions needs to query ldap for user authorization, etc, what would
be the recommended way of setting this up without compromising AD, I don't
think it would be very secure to allow LDAP queries from this server to our
DC.
Any suggestion is welcome.
Thanks
Rezuma
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
| | | |
|
|