What is it?
Lightweight Directory Access Protocol (LDAP) allows remote users to lookup directory data. An LDAP Directory usually contains information about users, but may also contain data about printers, servers, conference rooms, other equipment, etc. LDAP is the protocol used to access the proprietary Microsoft Active Directory.
Although LDAP is not Active Directory specific, most exposed LDAP servers are, in fact, Active Directory servers. This is especially true of Connectionless LDAP (CLDAP) servers.
LDAP was invented in 1993, so it has been used (and abused) in a great variety of ways. In general terms, a user or application sends a query to an LDAP compatible server and receives a report back. LDAP uses port 389.
Why is it a risk?
LDAP has recently gained notoriety for its use in rather sophisticated cyber attacks; the following definitions are necessary in order to understand the risks.
A Denial of Service attack (DoS) is when an attacker attempts to overwhelm a victim’s server.
A Distributed Denial of Service (DDoS) attack is when the attacker uses many unwitting accomplice computers to attack their victim. By orchestrating the actions of many computers, it is easier for the attacker to overwhelm their victim.
A Reflective Distributed Denial of Service attack (RDDoS) is when an attacker orchestrates the legitimate services of many unwitting accomplices to overwhelm their victim. Here, the attacker fakes their identity as the victim and sends legitimate report requests to the accomplices – thereby overwhelming the victim’s computer with the responses. It is difficult to determine the actual source of an RDDoS attack.
If the attacker can send a small command to the accomplices resulting in a large amount of traffic being sent to the victim, this called “amplification.” Amplication is valuable to the attacker because they need fewer accomplices to overwhelm the victim. LDAP can be abused by attackers in this way because there are many (small) LDAP commands that generate large reports.
How can you mitigate the risk?
The best approach is to not allow LDAP across the Internet using firewall rules; either disallow all traffic on port 389 or limit access to specific IP addresses or Mac Addresses. This is not always possible because essential remote services may rely on LDAP (or Active Directory).
Disable Simple LDAP Bind and Unsigned Simple Authentication and Security Layer (SASL) LDAP bind in the configuration, both are insecure. Signed SASL LDAP Bind requires authentication and is secure.
Use “Secure LDAP” (LDAPS) which requires authentication and authorization to limit access. Secure LDAP runs on port 636. The Devolutions article “How to Configure Secure LDAP (LDAPS) in Active Directory with Let’s Encrypt” linked below provides useful instructions.
The sourceDaddy link below explains, in some detail, the various options for securing LDAP.
Keeping your Microsoft Windows server operating system up-to-date or patched is a good practice. If you have a current Microsoft service account, then you can update to the latest version. If not, then you can still apply patches that address specific vulnerabilities, see the link below.
sourceDaddy = Securing LDAP
ldapwiki – Best Practices for LDAP Security
Devolutions – “How to Configure Secure LDAP (LDAPS) in Active Directory with Let’s Encrypt”
Microsoft Updates (requires Internet Explorer)