当前位置:网站首页>How to secure users in LDAP directory service?
How to secure users in LDAP directory service?
2022-08-10 21:33:00 【nington01】
The Lightweight Directory Access Protocol (LDAP) is one of the current mainstream authentication protocols. It was created by Tim Howes, Steve Kille and Wengyik Yeong of the University of Michigan in 1993 and has been approved by the Internet Engineering Task Force (IETF).Standardization, the distribution of directory information over the network, plays the role of an identity source (IdP).
The importance of LDAP in modern networks is that the protocol participates in sharing all information about users, devices, networks, and applications in an enterprise, and is responsible for controlling access authorization to IT resources.Now let's take a closer look at best practices for securing LDAP directory service users.
I. Implementation of LDAP
When employees need to access an LDAP database or use an IT resource that requires LDAP authentication, they typically enter a username and password and wait for authorization from the directory server.After the server receives the user's login information, it matches the credentials stored in the LDAP database and grants access after matching.
One of the most commonly used traditional commercial LDAP implementations (also known as directory services) today is Microsoft's Active Directory (AD).Many enterprises use AD to manage user information and authenticate user access, and the preferred authentication protocol for AD is Kerberos.In addition, there are many directory services that support the LDAP protocol, including the open source Red Hat Directory Service, OpenLDAP, Apache Directory Server, NDS (Nington Directory Service, Ningdun Directory Service) and so on.
There is also a new form of LDAP service, cloud LDAP (Directory as a Service, DaaS).
Second,User Security in LDAP
The credentials stored in directory services such as AD and OpenLDAP are the keys to enter the enterprise database. This is already an open secret, so the data security of directory services is self-evident.Once a hacker has compromised one of the user accounts, businesses need to race against time to prevent the hacker from accessing critical data.In order to prevent it from using the credentials in LDAP to obtain access rights, it is necessary to take precautions and first strengthen the account security of the LDAP directory service.The following are best practices for securing LDAP users:
1. Set Password Policy
A correct password policy is the first step in securing LDAP.Since LDAP is an authentication system, it must be well configured to require strong passwords from all users, including administrators.
A secure LDAP service should require users to set passwords that are complex and difficult to crack, that is, long passwords that contain as many characters as possible.Most LDAP services can set password conditions used within the system.
Some companies also require users to rotate their passwords every few months, which can cause confusion for employees, and frequent password changes cause users to only set similar passwords for ease of memory.
However, no matter what the company's security specifications are, using a strong password is still very important in preventing password leakage, so it is recommended that the longer the password, the better.(More on how to avoid dissatisfaction with frequent password changes.)
2. Protect password storage
Once an appropriate password policy has been determined, IT must also implement controls on the server to manage password storage.It is strongly recommended to use a hash encryption algorithm to protect the stored passwords, and then use a salted hash algorithm to further increase the difficulty of cracking the database.It is important to note that passwords must never be stored in a plain text environment.Also in transit, the password must be tunneled over SSL or TLS.
3. Protecting Against LDAP Phishing and Spoofing
LDAP spoofing attacks are generally implemented in two ways: the first is similar to phishing URL links, which induce users to enter real AD domain account numbers and passwords by counterfeiting real URLs; the other is to induce users to install malicious browser plug-ins, and then redirects to a fake address, also tricking the user into obtaining AD login information.This allows hackers to steal sensitive corporate data.
Avoiding this type of LDAP spoofing attack requires strong malware control tools and long-term security training for users.Another efficient method is to use multi-factor authentication (MFA). Users only need to spend a few more seconds to enter a one-time dynamic password (TOTP) as an auxiliary credential. Even if the AD account or LDAP account information is leaked, hackers cannot obtain the auxiliary credential.It doesn't help either, which would prevent a lot of potential attacks.
In addition, the MFA solution of the LDAP service has another advantage, that is, enterprises do not need to require users to change passwords regularly. Dynamic passwords are a sufficiently secure means of protecting LDAP accounts, which avoids employee dissatisfaction caused by the security specification of regularly changing passwords..To get users accustomed to multi-factor authentication, administrators can set a dynamic password delay period to force employees to enable multi-factor authentication after users are trained and informed.At the same time, you can also set the duration/number of trusted terminals so as not to interfere with users or affect work efficiency.
Three, cloud-based LDAP directory scheme
The appearance of the cloud LDAP service mentioned above is a reflection of the cloud computing trend.The cloud-based LDAP solution enables enterprises to quickly provision and enable LDAP services with less up-front investment and very little IT staff investment.In addition, the pre-configured mode of the LDAP cloud service realizes lightweight operation and maintenance, and can be flexibly expanded according to business growth needs.
For the LDAP user security best practices mentioned in the previous section, the LDAP cloud service solution can meet the requirements.
NingDS Identity Directory Cloud is an LDAP cloud service that implements unified security management of various IT resources such as applications, local devices, VPNs, NAS, etc. through LDAP authentication. It can be used out of the box without local deployment.All data supports SSL encryption during transmission, and the LDAP password stored in the NingDS service is also encrypted, effectively ensuring the security of credentials.
In addition, NingDS also has built-in cloud MFA capabilities, LDAP services and MFA services are naturally integrated, and MFA can be applied to LDAP authentication scenarios without any barriers and seamlessly.
边栏推荐
猜你喜欢
社区分享|货拉拉通过JumpServer纳管大规模云上资产
阿里巴巴、蚂蚁集团推出分布式数据库 OceanBase 4.0,单机部署性能超 MySQL
LeetCode-498 - Diagonal Traversal
美创科技勒索病毒“零信任”防护和数据安全治理体系的探索实践
TCL:事务的特点,语法,测试例——《mysql 从入门到内卷再到入土》
Huawei router clock near the drainage experiment (using stream strategy)
C. Even Picture
日期选择器组件(限制年份 设定仅展示的月份)
管理员必须知道的RADIUS认证服务器的部署成本
Future-oriented IT infrastructure management architecture - Unified IaaS
随机推荐
ENVI感兴趣区ROI文件由XML格式转为ROI格式
微擎盲盒交友变现-vp_ph打开慢优化
阿里巴巴、蚂蚁集团推出分布式数据库 OceanBase 4.0,单机部署性能超 MySQL
Live Classroom System 08 Supplement - Tencent Cloud Object Storage and Course Classification Management
【实用软件】【VSCode】使用技巧大全(持续更新)
黑猫带你学Makefile第12篇:常见Makefile问题汇总
如何提高代码的可读性 学习笔记
B. Codeforces Subsequences
优化是一种习惯●出发点是'站在靠近临界'的地方
DDL:CREATE 创建数据库——《mysql 从入门到内卷再到入土》
2021DASCTF实战精英夏令营暨DASCTF July X CBCTF 4th
图数据库(Neo4j)入门
2022.8.9 模拟赛
基于Pix4Dmapper的空间三维模型重建应用——空间分析选址
化学制品制造业数智化供应链管理系统:建立端到端供应链采购一体化平台
HGAME 2022 Week2 writeup by pankas
JVM经典五十问,这下面试稳了
Rider调试ASP.NET Core时报thread not gc-safe的解决方法
2021DozerCTF
数字化转型:如何引导创新领导者