2.11.2 Communications Security

The Active Directory system relies on messages that are passed across the network between the client and the directory service and from one directory service server to another. The system does not require this network to be fully trusted and allows for the possibility that a hostile party might be able to intercept such messages while they are transferred. Most of the protocols in the Active Directory system are designed to protect against two key attacks from such an attacker:

  • Eavesdropping on the messages to gain information that the attacker is not intended to have.

  • Altering request or response messages to cause the directory service or client, respectively, to take action based on information supplied by the attacker.

To protect against these attacks, the system uses transport- and message-level security features to protect traffic between the clients and the directory service, and between directory service servers. Transport-level security protects the entire transport, effectively creating a protected "tunnel" between machines through which the messages are sent, protecting the confidentially and integrity of the messages sent through the tunnel. Message-level security encrypts and/or digitally signs each individual message to provide confidentially and integrity of the message, respectively.

There is no single transport- or message-level mechanism that is used throughout all the protocols that comprise the Active Directory system. The following table summarizes the mechanisms that are used in each protocol. It includes a reference to the relevant section of the protocol Technical Documents for more information.

Transport- and Message-Level Security Features

Protocol

Mechanisms

Reference

LDAP

Transport-level

Protection is provided by signing and encryption over a Secure Sockets Layer (SSL)/Transport Layer Security (TLS)-protected connection.

[MS-ADTS] section 5.1.2.2

Message-level

Protection is provided by signing and/or encryption using SASL.

[MS-ADTS] section 5.1.2.1, Using SASL

DRSR

Message-level

Protection is provided by use of the SPNEGO security provider ([MS-RPCE] section 2.2.1.1.7) to protect the messages at the RPC layer.

[MS-DRSR] sections 2.2.3.1 and 2.2.4.1

DSSP

None.

SAMR

Transport-level

When using RPC over the SMB transport, protection is provided by the SMB transport.

[MS-SAMR] section 2.1

Message-level

When using RPC over the TCP transport, protection is provided by use of the SPNEGO security provider ([MS-RPCE] section 2.2.1.1.7) to protect the messages at the RPC layer.

[MS-SAMR] section 2.1

LSAD

Transport-level

Protection is provided by the SMB transport over which the RPC requests are sent.

[MS-LSAD] section 2.1

LSAT

Transport-level

When using RPC over the SMB transport, protection is provided by the SMB transport.

[MS-LSAT] sections 2.1 and 3.1.4

Message-level

When using RPC over the TCP transport, protection is provided by use of the Netlogon security provider ([MS-RPCE] section 2.2.1.1.7) to protect the messages at the RPC layer.

[MS-LSAT] sections 2.1 and 3.1.4

WS-Transfer

Transport-level

Protection is provided by the use of TLS [RFC2246] to protect the TCP transport. When using the Windows integrated authentication endpoints, the SPNEGO security provider is used to negotiate the session key used by TLS. When using the username/password authentication endpoints, TLS is used to negotiate a session key using the server's certificate.

[MS-ADDM] section 2.1

WS-Enumeration

Same as WS-Transfer, above.

[MS-ADDM] section 2.1

ADCAP

Same as WS-Transfer, above.

[MS-ADDM] section 2.1

In addition to these mechanisms to protect intended traffic between machines, many of the protocols in the Active Directory system also have mechanisms to reject undesirable traffic; that is, traffic that has been judged as potentially harmful to the directory service. The following table lists the protocols that have such mechanisms, a summary of the mechanisms, and a reference to further information. Note that these mechanisms are in addition to any access checks (section 2.11.1) that are performed by the protocol.

Additional Security Mechanisms

Protocol

Mechanisms

Reference

LDAP

LDAP Policies: establish limits on the size of the operations that a client can request.

[MS-ADTS] section 3.1.1.3.4.6

LDAP IP Deny List: provides a configurable list of IPv4 addresses from which the directory service ignores requests.

[MS-ADTS] section 3.1.1.3.4.8

DRSR

Uses Interface Definition Language (IDL) "[range]" attributes to limit the size of requests that will be accepted by the directory service.

[MS-DRSR] section 7

DSSP

None.

SAMR

Uses IDL "[range]" attributes to limit the size of requests that the directory service accepts.

[MS-SAMR] section 6

Configures the RPC runtime to perform a strict Network Data Representation (NDR) data consistency check at target level 5.0.

[MS-SAMR] section 2.1

LSAD

In the Microsoft implementation, uses IDL "[range]" attributes to limit the size of requests that will be accepted by the directory service.

[MS-LSAD] sections 6 and 7

In the Microsoft implementation, configures the RPC runtime to perform a strict NDR data consistency check at target level 5.0.

[MS-LSAD] section 7

Configures the RPC runtime to enforce Maximum Server Input Data Size.

[MS-LSAD] section 2.2.1

LSAT

In the Microsoft implementation, uses IDL "[range]" attributes to limit the size of requests that will be accepted by the directory service.

[MS-LSAT] sections 6 and 7

In the Microsoft implementation, configures the RPC runtime to perform a strict NDR data consistency check at target level 5.0.

[MS-LSAT] section 7

WS-Transfer

*

WS-Enumeration

*

ADCAP

*

* Implementations can provide mechanisms to limit the operations that can be performed or the size of the response.<5>