Recon is almost always the first step hackers, resort to understand the various ways they can hack their target organization. LDAP reconnaissance is a type of internal recon technique used to discover users, groups and other critical information. Adversaries can use LDAP queries mostly using modern tools or directly, to increase their knowledge of the environment, which can help them find targets and plan the next stages of their attack.
It is important that we mitigate the attacks by providing maximum security possible in order to make it harder for hacker’s recon technique to uncover more about the target’s environment.
In the latest 14.1 SP2 release of Directory, we introduced a security feature - a capability to allow connections to DSAs *only* from a predefined list of IP addresses. This capability boosts security, as you can include only those IPs that you trust.
If a connection is attempted from an IP address that is not part of the predefined list, then the DSA closes the connection.
The exact command to define the predefined list is as below
set include-addresses = ipv4 “<<ip address range>>” , ipv6 “<<ip address range>>;
Example:- set include-addresses = ipv4 "10.11.12.13/24", ipv6 "2001:1bc:1234::409/48";
It is possible to enumerate the specific IP addresses or define a subset of IP addresses, by identifying a subnet mask.
You may also know about “Exclude IP address” capability that Directory supports since 12.x releases.
This capability prevents connection attempts from the specified list of IP addresses i.e the behaviour of the DSA is opposite to the way it behaves with “include-addresses” capability turned on. This feature i.e “exclude-addresses” is now enhanced in 14.1 SP2 release of Directory, to include IP subnets as well.
For more details, on the above features, check out the following links in technical publication