Microsoft Active Directory (AD) is a database and a set of services. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information:
- As a database, Microsoft AD contains critical information about your environment, like which users and computers are included in your environment, and who’s allowed to do what.
- As a server, Microsoft AD connects users with the network resources they need to get their work done.
In other words, Microsoft Active Directory stores information about objects on the network and makes this information easy for administrators and users to find and use. It does this through the Active Directory Domain Services (AD DS), which are the core functions in Active Directory that manage users and computers and allow sysadmins to organize the data into logical hierarchies. AD DS provides for security certificates, Single Sign-On (SSO), LDAP, and rights management. And, understanding AD DS is a top priority for incident response (IR) and cybersecurity practitioners because all cyberattacks will affect AD.
There are several benefits to using AD DS for your basic network user and computer management:
- Customize data organization based on company requisites.
- Manage AD DS from any computer on your network.
- AD DS provides built-in replication and redundancy.
- Centralize management of network access rights.
So, Lightweight Directory Access Protocol (LDAP) comes into play as a software protocol for enabling anyone to locate internet or corporate intranet data. In other words, LDAP is a set of guidelines to send and receive information, like usernames and passwords, to Active Directory. LDAP authenticates Active Directory. Since LDAP is used to read from and write to Active Directory, LDAP authentication is a foundational element of identity management.
Here’s the challenge: It’s important to note that LDAP passes messages in clear text by default. Communications over LDAP are not encrypted, so anyone with a network sniffer can read the packets. This makes it possible for a malicious user to use network monitoring software to view data packets over the wire. This is why many corporate security policies typically require that organizations encrypt all LDAP communication. However, this does not need to be a challenge when using Microsoft AD Directory in the AWS cloud.
AWS Managed Microsoft AD provides an option by enabling LDAP over Secure Sockets Layer (SSL)/Transport Layer Security (TLS), also known as LDAPS. With LDAPS, security is comprehensively improved, and compliance requirements are met by encrypting all communications between your LDAP-enabled applications and AWS Managed Microsoft AD.
AWS Managed Microsoft AD provides support for LDAPS in both of the following deployment scenarios:
- Server-side LDAPS encrypts LDAP communications between your commercial or homegrown LDAP-aware applications and AWS Managed Microsoft AD. This helps to improve security and meet compliance requirements using the Secure Sockets Layer (SSL) cryptographic protocol.
- Client-side LDAPS encrypts LDAP communications between AWS applications such as Amazon WorkSpaces and your self-managed Active Directory.
To learn more about how to protect your infrastructure, plus more on Microsoft or security-related topics, check out these blog posts:
Why run Microsoft workloads on AWS?
How to perform AWS IAM database authentication
How to use security groups for pods on Amazon EKS
nClouds can help you with AWS Managed Microsoft AD and all your AWS services requirements.
