S 5.147 Protection of communications with directory services

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, Administrator

Data is exchanged between a client and the directory service server over a network connection. Depending on the directory service system and network architecture, the communication packets containing the contents of the directory, and even packets containing authentication information under certain circumstances, are transmitted without any protection.

Depending on the operating system installed, different network protocols can be used here. A directory service is generally accessed using the standardised LDAP protocol, but other proprietary protocols may also be used for this purpose. LDAP only transports data in this case over IP networks.

It is then possible to authenticate users using methods that do not transport any authentication data directly over the network. However, the communication between a client and a server is not encrypted in general. It is also the duty of the client used to ensure the communications are encrypted.

If a directory service server will be accessed from outside, then a correspondingly secure communication connection must be implemented between the client and the server. This connection must adequately protect the confidentiality of the transmitted data. This can be achieved through the use of a virtual private network (VPN), for example.

Administrators are often able to access the directory service system remotely. Examples of remote access include access by terminal services or using web-based services in which the administrator accesses the data of the system through a browser.

Since the data that can be read via remote access offers detailed insights into the structure and configuration of a directory service installation, it is also necessary to protect such indirect access to the directory service. Protocols that do not provide adequate security features should only be used, if at all, in secure networks. If it is possible to access the directory service via HTTP, then all users must be required to authenticate themselves, and anonymous access via HTTP should be prohibited. The transmission of the authentication data should also be protected using TLS/SSL (see S 4.310 Setting up LDAP access to directory services).

Review questions:

• Is access to the data of the directory service over external connections adequately protected?
• Has it been defined which system data is allowed to be accessed by which networks and with which tools?