CertiGuide to Security+  9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)       9  3.5  Security Baselines            9  3.5.3  Application Hardening                 9  3.5.3.9  Data Repositories

3.5.3.9  Data Repositories 1 2 3 3.5.3.9.2  Databases

Directory Services Security Issues

Some directory services allow anyone to query the directory for any available information about network resources and users. Still other directory services support multiple forms of authentication – allowing the administrator to choose the most appropriate mechanism (hint: challenge/response or PKI based authentication schemes, discussed further in the following chapter, are more secure than those which transmit a password in encrypted or clear text forms). With authentication, different levels of users can be granted different levels of access, helping enforce the security principle of providing information on a “need to know” basis only.

Information provided by directory services can include sensitive details about the enterprise and its network configuration – types of data that you wouldn’t want an attacker with a network packet sniffer to have. Therefore, many directory services can make use of encryption when sending data back and forth between directory service client and server. If your directory service supports an encrypted communication path, use it. If you’re using vanilla LDAP, consider moving to LDAP over TLS, which provides such encryption.

A last subtle point to consider when hardening a directory server is verifying that the directory contains correct data. Has the data been obtained through appropriate, verified channels? If you don’t have established, verifiable sources for data, someone might very well be able to insert bogus information into your directory without any sort of technical access to it at all (in yet another case of social engineering).

3.5.3.9  Data Repositories 1 2 3 3.5.3.9.2  Databases