Cyber security

LDAP Firewall – Enhancing Security With Advanced Active Directory Protection

LDAP Firewall is an open-source tool for Windows servers that lets you audit and restrict incoming LDAP requests.

Its primary use-cases are to protect Domain Controllers, block LDAP-based attacks and tightly control access to the Active Directory schema (e.g enforcing read-only access for users).

The tool is written in C++ and makes use of the Microsoft Detours and JsonCpp packages.

Some useful resources to get you started:

  • Introduction blog post – basics of LDAP and overview of the tool
  • Technical Deep Dive blog post – reverse-engineering the Windows LDAP service and how LDAP Firewall works
  • Leash the Hounds – how to stop BloodHound and other LDAP-based recon attacks using the LDAP Firewall
  • Tutorial video – covers how to install and use the tool
  • LDAP Firewall Workshop video – from DEATHCon 2023

Main Features

  • Allow / block incoming LDAP queries based on different parameters (operation type, source IP, user, DN etc.)
  • Event logging for LDAP queries

How It Works

The LDAP Firewall inspects incoming LDAP operations (which are used to read or modify entries in the AD schema) and allows or blocks the request based on the configured rules.

The operation also gets written into the Windows Event Log with the LDAPFW action and other relevant fields (Distinguished Name, attributes, OID etc.).

Who Is This Made For?

  • Security Engineers who want to control LDAP access and achieve a Least Privilege model
  • Threat Hunters and SOC analysts who want to be create detections and perform investigations around LDAP
  • Security Researchers who want to explore and deepen their understanding of the protocol

Preventing Attacks With LDAPFW

This section describes some common LDAP-based attacks that can be mitigated with the LDAP Firewall.
Sample config.json files can be found in the example_configs folder of this repository.

sAMAccountName Spoofing

LDAPFW can be configured to block all Add operations in order to completely prevent Name Impersonation (CVE-2021-42278) and thus defend against sAMAccountName spoofing.

For more information click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Leave a Comment
Share
Published by
Varshini
Tags: cybersecurityinformationsecuritykalilinuxkalilinuxtoolsLDAP Firewall
6 months ago

Recent Posts

100 Days Of Rust 2025 : From Incident Response To Linux System Programming

In 2025 I wanted to try something new. In addition to a traditional 100 days…

9 hours ago

Presenterm : Revolutionizing Terminal-Based Presentations With Markdown

presenterm lets you create presentations in markdown format and run them from your terminal, with…

10 hours ago

JailbreakEval : Automating the Evaluation Of Language Model Security

Jailbreak is an attack that prompts a language model to give actionable responses to harmful…

10 hours ago

HASH : Harnessing HTTP Agnostic Software Honeypots For Enhanced Cybersecurity

The main philosophy of HASH is to be easy to configure and flexible to mimic…

10 hours ago

SECurityTr8Ker : SEC Cybersecurity Disclosure Monitor

SECurityTr8Ker is a Python application designed to monitor the U.S. Securities and Exchange Commission's (SEC)…

4 days ago

ripgrep : The Fast, Flexible Search Tool

ripgrep is a line-oriented search tool that recursively searches the current directory for a regex…

4 days ago