Disable non secure LDAP 389

All replies

• 

  

  0

  Sign in to vote

  No - there is not. You can enforce it from the client side - but blocking incoming connections on 389 would essentially break your AD

  hth
  Marcin

  • Proposed as answer by Cicely Feng Tuesday, November 6, 2012 3:01 AM
  • Marked as answer by Cicely Feng Friday, November 9, 2012 8:18 AM

  Monday, November 5, 2012 4:56 PM
• 

  

  0

  Sign in to vote

  Hi,

  No, you can not. Disabling LDAP access on port 389 will affect on AD communication. LDAPS protocol mainly used between application and the Network Directory or AD Domain Controller.

  There is no way to make clients prefer LDAPS because the type of connection depends on the application that is running on the client computer.

  Read 4 points updated by Kurt L Hudson in this article:
  http://blogs.technet.com/b/pki/archive/2011/06/02/implementing-ldaps-ldap-over-ssl.aspx

  ---

  Best regards,
  
  Abhijit Waikar.
  MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
  Blog: http://abhijitw.wordpress.com
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

  • Proposed as answer by Cicely Feng Tuesday, November 6, 2012 3:01 AM
  • Marked as answer by Cicely Feng Friday, November 9, 2012 8:18 AM

  Monday, November 5, 2012 6:33 PM
• 

  

  0

  Sign in to vote

  Hello,

  As others mentioned, there is no way to do it.

  In fact, it is up to the application running on the client to request LDAP Secure connections. This is because there is some negotiations that will be done which the application should support.

  Of course, blocking LDAP traffic will break all applications that are not able to establish Secure connections to AD. That is why, you can break communication to AD.

  ---

  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

  • Proposed as answer by Cicely Feng Tuesday, November 6, 2012 3:02 AM
  • Marked as answer by Cicely Feng Friday, November 9, 2012 8:18 AM

  Monday, November 5, 2012 6:46 PM
• 

  

  0

  Sign in to vote

  As other mentioned the answer is no.TCP and UDP  port 389 is used for Directory, Replication, User and Computer Authentication, Group Policy, Trusts,etc,blocking the same will lead to AD issue. See this below for port requirement for AD.
  http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

  ---

  Best Regards,
  
  Sandesh Dubey.
  
  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
  
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

  • Proposed as answer by Cicely Feng Tuesday, November 6, 2012 3:02 AM
  • Marked as answer by Cicely Feng Friday, November 9, 2012 8:18 AM

  Monday, November 5, 2012 8:33 PM
• 

  

  0

  Sign in to vote

  Hi

  Blocking port 389 is a typical thing to do on an external firewall, but is not something you would do on a domain controller. The Active Directory Domain Service administration tools still use port 389, but they are protected by the sign and seal binding.

  Refer below article

  http://blogs.technet.com/b/pki/archive/2011/06/02/implementing-ldaps-ldap-over-ssl.aspx

  ---

  Hope it helps __________________________ Best regards Sarang Tinguria MCP, MCSA, MCTS Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

  • Proposed as answer by Cicely Feng Tuesday, November 6, 2012 3:02 AM
  • Marked as answer by Cicely Feng Friday, November 9, 2012 8:18 AM

  Monday, November 5, 2012 8:37 PM
• 

  

  0

  Sign in to vote

  Hi all, here is an article from 2008. http://unixwiz.net/t...ty-ldap-ad.html Each user who knows an AD userid and password could retrive Information about useraccounts, groups etc. We have also LDAPs (TCP 636) configured. Everyone can test this easy test with Linux "ldapsearch" How can you secure LDAP TCP 389. Secure: ldapsearch -ZZ -H 'ldap://ServerX.contoso.local:389/' -D Hansi.Schmid@contoso -W -b 'OU=people,DC=contoso,DC=com' -s sub '(cn=Tom.Jones)' mail userprincipalname samaccountname Non secure / default ldap ldapsearch -H 'ldap://ServerX.contoso.local:389/' -D Hansi.Schmid@contoso -W -b 'OU=people,DC=contoso,DC=com' -s sub '(cn=Tom.Jones)' mail userprincipalname samaccountname

  Thursday, June 25, 2015 6:36 PM
• 

  

  0

  Sign in to vote

  That's a different question. You're talking about securing directory information.

  LDAP is a DIRECTORY SERVICE, and by design, is intended so that anyone with the appropriate credentials can view certain types of information by default. Such as, yes, their username, email address and so on.

  Some of that information must absolutely be available to all objects in the directory - you can't authenticate if your username is not readable. You can't get access to an application controlled by group membership if the membership of that group can't be read.

  That said, you can place security constraints on many objects and attributes in AD. Firstly, attributes that aren't in the base schema can be marked as "confidential", which immediately removes Read from Authenticated Users (which is added to attributes by default).  From there, you could configure permissions so that members of a certain group could not read certain account attributes. You could lock down the "department" attribute (and many other attributes) on all or selected user accounts so that only certain users could read that (although if Exchange uses it to build address lists or distribution groups, you'd want to be careful of that). You could configure groups so that viewing their memberships is denied to certain users or groups. You can create custom attributes in the AD schema with custom permissions. 

  There are many ways of securing data in AD. So to imply that it's all wide open if port 389 is accessible is incorrect. But by default, and this is true of most LDAP implementations, a certain set of attributes are readable to all other authenticated users. It's up to you as an administrator to understand that default attribute set and mitigations if certain data is sensitive (and genuinely sensitive, not some manager complaining that other internal users can see his account name. Please.)

  The main thing that bugs me about the AD implementation of LDAP is that we can't force a simple LDAP auth (rather than SASL) to only be available over LDAPS. Most LDAP binds will be authenticated via SASL in a Windows environment, so why can't we lock down the auth part of LDAP?

  
  

  • Edited by TrixM Wednesday, March 13, 2019 7:12 AM clarification
  • Proposed as answer by Pedro Carreras Tuesday, August 13, 2019 2:25 AM
  • Unproposed as answer by Pedro Carreras Tuesday, August 13, 2019 2:26 AM

  Wednesday, March 13, 2019 7:02 AM
• 

  

  0

  Sign in to vote

  I used local security policy and blocked 389 at the remote access network interface *WAN* i am using windows server as router too. Domain and Lan computers have no issues nothing breaks and lsass.exe is quiet and not going nuts sending tons of bandwidth.

  I do not have anyone connecting to my domain remotely so no harm done.

  • Edited by Pedro Carreras Tuesday, August 13, 2019 2:29 AM

  Tuesday, August 13, 2019 2:28 AM