Directory Security

A problem for many organizations today is the ability to utilize, manage, and secure productively heterogeneous network environments that have many users and various resources. An unorganized network with mismanaged users, permissions, access controls, and scattered resources can cost a company a small fortune as well result in a major lack of productivity.

The use of directories and directory services such as Microsoft’s Active Directory and LDAP (Lightweight Directory Access Protocol) help bring together various heterogeneous systems and networks. These services have provided a more intuitive way to manage, access, and control resources at the enterprise level. Proper implementations of directory services can improve security and reduce operating system maintenance and administrative support costs. However, lack of or improper management of directory services can prove fatal to a network and its resources.

Directory services such as Active Directory and LDAP use hierarchical tree structures as a means of organization and a way to administrate at various levels of an organization.

LDAP

LDAP is a directory service standard protocol, which is part of X.500 that is used on the Internet and many corporate intranets. LDAP allows resources such as files, folders, devices, locations, and people to be located easily on a network. On traditional TCP/IP networks, the DNS (Domain Name Service) is the most commonly used directory services protocol. DNS is used to translate or resolve domain names to specific IP addresses. For example, DNS will resolve the name CompTIA.com to the IP address of 216.119.103.72. It is easier for people to remember intuitive names than numbers such as IP addresses. LDAP allows you to search by more intuitive names in case you cannot remember or do not know the domain a user or resource is located in.

Although LDAP provides many benefits, it also has security-related vulnerabilities. LDAP is used to allow productive interoperability between X.500 supported directory services and directories. Directories typically include such things as ACLs (Access Controls Lists), certificates, and other important information. LDAP is given access to most of these resources on an enterprise scale. If any of these individual resources become compromised, your entire enterprise might be at risk.

Most major vendors including Microsoft, Novell, and Cisco all have products that interoperate with LDAP. Microsoft, for example, provides support for LDAP with its trademarked directory service known as Active Directory.

In conclusion to our Web security section, it is advised that you visit the following site for a very informative list of the top ten most exploited Internet security flaws: http://www.orthus.com/ttvuln.html.