Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

Use LDAP Server Signing

LDAP is an industry standard protocol used to query and update information in a directory service, and it is the primary access protocol used with Active Directory. Many Windows Server 2003 administrative tools sign and encrypt all LDAP traffic by default, including the following:

Active Directory Users and Computers

Active Directory Sites and Services

Active Directory Domains and Trusts

Active Directory Schema

ADSI Edit

Server resource kit utilities

However, you can require that LDAP traffic always be signed by using the Security Option Domain Controller: LDAP Server Signing Requirements. The None setting does not require LDAP signing, but the DC will support it if the client requests it. The setting Require Signature requires a signature.

Don't forget to set the client security setting Network Security: LDAP client Signing Requirements. If the server is set to Require, and the client is not set, the LDAP connection will be lost. The following options are available:

None
LDAP traffic is issued with the requirements of the caller (the application).

Negotiate
If SSL/TLS is already being used, the LDAP request is issued with the requirement of the caller. If SSL/TLS is not used, the LDAP BIND request (binding is the process where the client authenticates to the server) includes the LDAP signing requirement in addition to the caller requests.

Require
Same as negotiate except if that the server cannot BIND, request fails.

LDAP requests are issued using ldap_bind statements. The ldap_simple_bind and ldap_simple_bind_s statements are not capable of requiring signing or encrypting. These functions pass the user ID and password in the clear and should not be used unless an encrypted session using SSL/TLS is set up. If signing is required and ldap_simple_bind or ldap_simple_bind_s are used, the request will be rejected. To ensure security, programs that use LDAP should authenticate (to identify who is making the request), sign (to guarantee the integrity of the message, ensuring that it has not been changed during transport), and encrypt (to keep confidential the contents including the users id and password) LDAP communications. Windows Server 2003 does, as does Windows 2000 Service Pack 3 and above.

LDAP communications used by Windows Server 2003 are authenticated, signed, and encrypted by default. Applications developed for Windows Server 2003 should also meet these requirements. It is possible to do so in one of three ways. The programmer can require the use of Simple Authentication and Security Layer Protocol (SASL) or TLS. The SASL requirement does not require certificates while TLS does. If TLS is required, certificates must already be available on the client and on the server. These settings are incorporated by the programmer when writing applications, but the concept of securing traffic between client and server when manipulating Active Directory information is also relevant to administrators who may write scripts. These scripts will more commonly use the Active Directory Service Interfaces (ADSI), but must also bind to the AD. ADSI is a set of COM interfaces used to interface with the Active Directory, and security can be established by specifying either Kerberos or TLS. Like LDAP, use of ADSI with TLS requires computer certificates.

When an Enterprise CA is installed, its CA certificate is set as the default certificate for SSL validation. Use the autoenrollment feature of Group Policy to enroll server and client computers.