Re: LDAP and A/D security over internet

Giganews Newsgroups
Subject: Re: LDAP and A/D security over internet
Posted by:  Erik Cheizoo (
Date: Tue, 6 Feb 2007

Never, ever, ever publish your AD DC's to the Internet (that's what you're
doing when opening up ldap ports. It's hackers wet dream.

A better solution would be to create a VPN tunnel from their app server to
one of your DC's.
That is, when you trust them enough to publish one of your DCs to them. Only
allow the minimum required ports for ldap authentication

Kind regards,

Erik Cheizoo
eXcellence & Difference - we keep your business running
Always test in a non-production environment before implementing
Guidelines for posting:

"Peter Hoffman" <PeterHoffm…> wrote in message
> Hi, we are a college campus Win03 SP1, single domain. I have a request
> from
> our State sponsor to be able to allow our employees access to their
> portal.
> The sponsor wants to do LDAP queries from their servers in another city
> against my DC's to authenticate our users against our AD to allow access
> to
> their portal. I have no experience doing anything like this.
> I'm concerned about security. My DC's are on an internal network, not on
> the
> DMZ. The sponsor is asking us to config our firewall to allow LDAP access
> from their servers through the firewall to one of my DC's.
> What should I be concerned about here as far as security? What are the
> best
> practices? Any help is very much appreciated!!
> Thanks, - Pete
> --
> -----
> P Hoffman, MCSA, MCP, MSCE


In response to

LDAP and A/D security over internet posted by Peter Hoffman on Tue, 6 Feb 2007