S
Senor Foglia
In preparation for Security Advisory ADV190023, I have enabled diagnostic logging on some of our domain controllers. We provide hosted messaging services to our customers, and each customer has their own dedicated domain controllers for their Exchange environments.
I increased the AD Diagnostic Event logging (16 LDAP Interface Events) on a few of the domain controllers and have discovered that both our e-mail gateway appliances and an archiving appliance are making unsecure LDAP queries.
Microsoft suggests to either use an AD-integrated Enterprise CA to generate server certificates, or purchase a public CA certificate, in order to enable SSL capabilities on the domain controllers, but based on the following set of circumstances, I do not believe I can employ either solution:
1. The appliances are not on the customer's domains. They would have no access to the root CA if I was to enable an Enterprise CA in each domain.
2. The appliances connect to the customer's domain controllers via IP addresses. They do not have the ability to perform DNS lookups in the private domains of each customer in order to resolve a FQDN to an IP address.
3. All customers are using a unique internal domain (.local domain). We can not get a public CA for a .local domain. And even if we could, the appliances would still need to resolve the FQDN of the server for the certificate to be used for SSL.
Continue reading...
I increased the AD Diagnostic Event logging (16 LDAP Interface Events) on a few of the domain controllers and have discovered that both our e-mail gateway appliances and an archiving appliance are making unsecure LDAP queries.
Microsoft suggests to either use an AD-integrated Enterprise CA to generate server certificates, or purchase a public CA certificate, in order to enable SSL capabilities on the domain controllers, but based on the following set of circumstances, I do not believe I can employ either solution:
1. The appliances are not on the customer's domains. They would have no access to the root CA if I was to enable an Enterprise CA in each domain.
2. The appliances connect to the customer's domain controllers via IP addresses. They do not have the ability to perform DNS lookups in the private domains of each customer in order to resolve a FQDN to an IP address.
3. All customers are using a unique internal domain (.local domain). We can not get a public CA for a .local domain. And even if we could, the appliances would still need to resolve the FQDN of the server for the certificate to be used for SSL.
Continue reading...