Add the last "S" for security.
I remember the old mattress commercials. You left the last "S" of the phone number for savings. In our world, we need to always make sure we have the last "S" for security.
In our world, any internet-facing connection simply must use a commercial SSL (i.e. VPN, Secure Remote Access, Web Page, LDAP, etc.).
Web browsers are now throwing up "your site is risky" messages or blocking sites that don't answer to HTTPS. You don't need the grief of people questioning your district's security. If you haven't done it already, make sure all those items have real commercial SSLs.
Remember too that we are now shying away from wildcard SSLs towards explicit SSLs because there is a theoretical man-in-the-middle attack scenario that in some rare circumstances attackers could exploit. It simply isn't worth worrying about that. That means your SSL budget may need to be increased and the time to create all the CSR requests and implement all the discrete SSLs will take longer. Plan accordingly.
However, one thing I have noticed inside many networks is that tools like ADAudit Plus, which we use for Active Directory Auditing and Reporting (and something every one of you should have as well), often report that internal LDAP authentication communications are crossing inside your network in cleartext! That is in fact the default way for those requests to transit the network. To Microsoft's credit, they have been trying to push all of you into eliminating all non-secure communications inside your network. That includes LDAPS, RPCS, and other historically insecure, legacy ways Microsoft devices have communicated. This has been a very bumpy transition and Microsoft has stepped back and then attempted to re-implement the higher security standards to force all of us to be in a better place.
However, fixing internal LDAP clear text is not hard to do. If you have never thought about this issue inside your network, then this is probably you.
If you need help with this, let us know.
If you'd like to know what else is out there on the Microsoft side of your network, talk to Lisa about implementing Active Directory Auditing with ADAudit Plus.
-Scott
You must be logged in to post a comment.