Directory Direct

Verisign Masters of Internet Infrastructure

@font-face { font-family: "MS 明朝"; }@font-face { font-family: "Cambria Math"; }@font-face { font-family: "Cambria"; }p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Cambria; }.MsoChpDefault { font-family: Cambria; }div.WordSection1 { page: WordSection1; }

Just as the Domain Name System (DNS) is a critical piece of infrastructure that IT rarely considers in either security planning or day-to-day security operations, so too is “the” enterprise directory.

One can’t deny or minimize utility of a single source to point systems at so they can establish who is trying to use them. However, putting that much power in one system makes that system the target of hostile attention, whether from inside or from outside the organization.

Minimally, IT needs to ensure that all communications with the directory use transport level security such as SSL.  However, that by no means guarantees that the system is safe. There are lots of other configuration details IT has to deal with correctly in order to mitigate risks of information leakage through the directory, and compromise of the directory.

One of the most interesting and difficult to grapple with is LDAP injection. It is an attack aimed at the application layer, exploiting well-formed LDAP requests to get more information out of the system than application designers intended.  As with SQL injection, it relies on applications requesting information (like a username or password) that will be passed on to the LDAP system; the attack simply adds extra commands to the input data.  If the data is not scrubbed before being passed along to the directory—if the application simply pushes it through intact, as many applications do—then the attacker can get at the directory with the credentials of the application’s server. Attackers can get at data they are not authorized for themselves, adjust permissions on the directory itself, or modify data stored within.

Bottom line: application level attacks are not just for the enterprise applications like CRM; they can also strike at the basic infrastructure supporting network services. Incorporate LDAP into your security planning, not just as a tool, but also as a target.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.