Security Basics mailing list archives
re: Microsoft Active Directory security concerns
From: "T Dog" <tdogblues () gmail com>
Date: Tue, 13 Jun 2006 13:27:36 -0500
Dave, I'm not an expert on Microsoft AD either, but we recently went through similar project. Here are some of the things we found along the way. 1) We used Secure LDAP to connect from our "portal" back to the AD (TCP port 636) 2) The developers used a call within C# similar to this: DirectoryEntry entry = new DirectoryEntry( path, domainAndUsername, pwd, AuthenticationTypes.SecureSocketsLayer); If you don't have control over the authentication methods within the product, then you might be limited to simple LDAP. My 2 cents on the strategy of using AD for external clients is this. Exposing your AD to the web to brute force attacks should require careful planning. The access for external clients is probably the first of many single sign-on projects, and the next request may be external access for internal employees. I have found that once a company starts down this path, they try to assimilate every application like the Borg. I'm assuming that your AD has well-defined password and lockout policies, but you might want to check whether the portal can "restrict" the users from trying to login to other OUs. Other alternatives include setting up a separate domain for the portal which we have done in the past. The PROs include separation of user management, but the negatives include additional headaches on user management along with the same maintenance. For example, users never know what they need, and they'll always send a vague e-mail stating that they need a password reset. This e-mail will intrigue the helpdesk as they try to figure out who the user is. I'm sure other members of the group who are wiser and more saavy in the ways of AD will have more to offer, but this was our experience. I hope this helps. Thanks, Rob
All,
I have spent most of my time in network security and IDS/IPS technology so
I'm fairly new to security pertaining to MS Active Directory. We are
being asked to evaluate web portal authentication/authorization for users,
most of whom are not employees of our company. Our NT group wants to add
/ maintain users in an "external OU", in an existing domain, under our
existing AD forest. I think this is a bad idea but I am not versed enough
in AD to argue the point. Are there glaring issues with this strategy? My
concern is that if someone were to gain access to AD they might not only
effect external applications but internal production as well.
Are "external OU's" that secure? Are there more secure authentication
schemes?
Any thoughts would be greatly appreciated.
>Dave
Current thread:
- Microsoft Active Directory security concerns DHegenbarth (Jun 13)
- Re: Microsoft Active Directory security concerns Saqib Ali (Jun 13)
- RE: Microsoft Active Directory security concerns Jason Dinsdale (Jun 27)
- <Possible follow-ups>
- re: Microsoft Active Directory security concerns T Dog (Jun 13)
- RE: Microsoft Active Directory security concerns Robertson, Seth (JSC-IM) (Jun 13)
- RE: Microsoft Active Directory security concerns Ramsdell, Scott (Jun 13)
- RE: Microsoft Active Directory security concerns Depp, Dennis M. (Jun 14)
- Re: re: Microsoft Active Directory security concerns adam . dawson (Jun 14)
- Re: Microsoft Active Directory security concerns simonis (Jun 15)