re: Microsoft Active Directory security concerns

["T Dog" <tdogblues () gmail com>]

Dave,

I'm not an expert on Microsoft AD either, but we recently went through
similar project.  Here are some of the things we found along the way.

1) We used Secure LDAP to connect from our "portal" back to the AD
(TCP port 636)


2) The developers used a call within C# similar to this:
    DirectoryEntry entry = new DirectoryEntry( path, domainAndUsername, pwd,
    AuthenticationTypes.SecureSocketsLayer);

   If you don't have control over the authentication methods within the
   product, then you might be limited to simple LDAP.

My 2 cents on the strategy of using AD for external clients is this.
Exposing your AD to the web to brute force attacks should require
careful planning.  The access for external clients is probably the
first of many single sign-on projects, and the next request may be
external access for internal employees.  I have found that once a
company starts down this path, they try to assimilate every
application like the Borg.  I'm assuming that your AD has well-defined
password and lockout policies, but you might want to check whether the
portal can "restrict" the users from trying to login to other OUs.

Other alternatives include setting up a separate domain for the portal
which we have done in the past.  The PROs include separation of user
management, but the negatives include additional headaches on user
management along with the same maintenance.  For example, users never
know what they need, and they'll always send a vague e-mail stating
that they need a password reset.  This e-mail will intrigue the
helpdesk as they try to figure out who the user is.

I'm sure other members of the group who are wiser and more saavy in
the ways of AD will have more to offer, but this was our experience. I
hope this helps.

Thanks,
Rob


> All,

> I have spent most of my time in network security and IDS/IPS technology so

> I'm fairly new to security pertaining to MS Active Directory. We are

> being asked to evaluate web portal authentication/authorization for users,

> most of whom are not employees of our company. Our NT group wants to add

> / maintain users in an "external OU", in an existing domain, under our

> existing AD forest. I think this is a bad idea but I am not versed enough

> in AD to argue the point. Are there glaring issues with this strategy? My

> concern is that if someone were to gain access to AD they might not only

> effect external applications but internal production as well.

> Are "external OU's" that secure? Are there more secure authentication

> schemes?



> Any thoughts would be greatly appreciated.

>Dave