LDAP Firewall is an open-source tool for Windows servers that lets you audit and restrict incoming LDAP requests.
Its primary use-cases are to protect Domain Controllers, block LDAP-based attacks and tightly control access to the Active Directory schema (e.g enforcing read-only access for users).
The tool is written in C++ and makes use of the Microsoft Detours and JsonCpp packages.
To get started, check out our blog post and tutorial video.
- Allow / block incoming LDAP queries based on different parameters (operation type, source IP, user, DN etc.)
- Event logging for LDAP queries
The LDAP Firewall inspects incoming LDAP operations (which are used to read or modify entries in the AD schema) and allows or blocks the request based on the configured rules.
The operation also gets written into the Windows Event Log with the LDAPFW action and other relevant fields (Distinguished Name, attributes, OID etc.).
- Security Engineers who want to control LDAP access and achieve a Least Privilege model
- Threat Hunters and SOC analysts who want to be create detections and perform investigations around LDAP
- Security Researchers who want to explore and deepen their understanding of the protocol
This section describes some common LDAP-based attacks that can be mitigated with the LDAP Firewall.
Sample config.json files can be found in the example_configs folder of this repository.
LDAPFW can be configured to block all Add operations in order to completely prevent Name Impersonation (CVE-2021-42278) and thus defend against sAMAccountName spoofing.
Audit of an LDAP Add operation being blocked
(produced using the Ldapper addComputer command)
Stop BloodHound scans by blocking searches on uncommon attributes (such as admincount, userpassword and msds-allowedToDelegateTo).
SharpHound unable to obtain entities from LDAP
Protect LAPS passwords by monitoring and blocking attempts to read the ms-Mcs-AdmPwd computer attribute.
Get the latest binary from the release page, or build from source.
Currently supported and tested on Windows Server 2016 and up.
Internet access is required for fetching symbols from the Microsoft public symbol server.
ldapFwManager.exe /help
Usage: ldapFwManager /<Command> [options]
Command:
----------
/install - install and start LDAP Firewall protection
/uninstall - remove LDAP Firewall protection
/update - reload config.json and update the LDAPFW configuration (while installed)
/status - print status
/help - show this help message and exit
Debug Options: (use with /install or /status)
----------
/v - enable debug logging (stored in %AppData%\LDAPFW)
/vv - enable verbose debug logging. Warning - this will generate a large logfile and may
affect performance.
Before installing LDAPFW for the first time, run with /status to make sure all prerequisites are met:
ldapFwManager.exe /status
LDAP Firewall v0.0.1
Status:
---------------------
LDAPFW Installed: False
Symbols loaded: True
Ready to install: True
All configurations are set in the config.json file.
{
"rules": [
{
"operations": ["*"],
"ips": ["*"],
"users": ["*"],
"action": "allow"
}
],
"suppressAudit": ["search"]
}The rules field specifies a list of block / allow rules similar to a classic firewall. Each rule can be defined with the following fields:
- operations - list of LDAP operations (add / delete / modify / modifydn / search / compare / extended or
*for any) - ips - list of source IPs (or
*for any) - users - list of users (or
*for any) - action - action to perform (allow / block)
- dn - DN set in the LDAP query (if applies)
- attribute - attribute set in the LDAP query (if applies)
- oid - OID set in the LDAP query (if applies)
- filter - filter set in a Search query (supports basic wildcard matches)
During an incoming LDAP operation, the first matched rule action applies. If no rule matches, the operation is allowed by default (this behaviour can be modified by setting a global block rule as the final rule).
By default, Search operations do not generate event logs as they can get noisy. You can enable / disable auditing of different operations by modifying the suppressAudit field.
The LDAP Firewall is built from 3 main components:
Main executable which loads the configuration, sets up the environment and injects the firewall into lsass.exe (the main Windows process which enforces the security policy and handles LDAP connections in Windows servers).
The actual LDAP Firewall code, which detours the internal Windows LDAP functions in order to manage and audit LDAP requests.
Handles writing audit messages to the Windows Event Log, which are written to Application and Services Logs\LDAPFW.
Yes! Don't be shy to do a pull request.
For any questions, issues, or simply to shout out, join our -273°C Slack channel where the community shares best practices and helps build better defenses using open-source tools.
We are also available at support@zeronetworks.com.
For more details, see LICENSE.