4

I need to support Mac clients who need to access a LDAP server to locate SMIME keys.

Since the keys are already in AD, and it's easy for me to create a RODC or read only forest where I push the certificates to, is it acceptable to expose unauthenticated LDAP and LDAPs to the internet?

One issue I can think of is an LDAP form of a directory harvest attack, where a spammer could determine which addresses are valid and which aren't.

makerofthings7
  • 8,821
  • 28
  • 115
  • 196

2 Answers2

12

It depends completely on what's in the LDAP directory.

For Active Directory, absolutely not, even for an RODC - the security profile of these devices is designed for being inside your network (the RODC specifically is hardened against physical compromise, so you can keep it in a closet - a physical compromise of a normal DC would give an attacker control of the domain and all users' password hashes).

An attacker could gain a mountain of information from AD - usernames to try to authenticate with, system names, some amount of network topology.. if not enough to attack with directly (password attacks against a different public endpoint, like VPN?), certainly enough to put together a solid social engineering or spear phishing attack.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • In the solution I propose above, AD happens to be serving the LDAP data, and I'm leveraging its ability to replicate and do LDAP stuff. There will be no user accounts, other than a renamed Administrator account with a 2 factor password and disabled guest account. I'm considering editing the ACLs of all containers so that enumeration by anonymous users is not possible. Just direct queries. – makerofthings7 Mar 05 '14 at 01:44
  • 3
    If your AD is that empty, why not just use simple LDAP? – mfinni Mar 05 '14 at 02:05
  • @mfinni - I don't know linux, and am very comfortable with all the nuances of AD... – makerofthings7 Mar 05 '14 at 12:03
  • 3
    @makerofthings7 - I didn't even whisper the word "linux". There's plenty of LDAP server implementations for any OS you care to name. Microsoft has one, similar to AD, called AD LDS (formerly ADAM.) That would be better, in almost all cases. Exposing Active Directory to the internet, via LDAP, exposes sensitive information. It's nothing that wouldn't be available to a LAN-connected client, and if your AD truly contains nothing you don't mind exposing, then go for it. It's not generally acceptable though, which was your stated question. – mfinni Mar 05 '14 at 13:34
  • 1
    Yes, ADAM seems like a fit for this. I totally forgot about it, despite working with it for years. – makerofthings7 Mar 05 '14 at 18:29
11

No, it would not be generally acceptable. Not sure what you are trying to achieve but I would say the correct way is to first establish a VPN connection and then connect to LDAP.

ETL
  • 6,443
  • 1
  • 26
  • 47