How to perform hardening on your Nodinite LDAP Web API
Make sure you only allow, and use the HTTPS protocol
Do use HTTPS
We strongly recommend the usage of server-based certificates to enforce the use of the HTTPS protocol and for the protection of the privacy and integrity of data sent between the Client/Consumer and the LDAP Web API.
If you have a DNS/Alias name for your cert, you can use a Web Site and redirect using a binding (self signed certs do work, but are not recommended).
- Make sure to select HTTPS and port 443
- Select the certificate to use
Require SSL
The default SSL setting for IIS applications is not required.
You should check this checkbox. In order to do so, you must have installed a valid certificate, see section 'Install certificate'.
Install certificate
Internet Information Services (IIS) Server Certificate Installation Instructions
- Make sure the IIS server hosting the LDAP Web API has a static IP address (dynamic assignment of IP addresses requires some kind of dynamic DNS solution)
- Create a DNS record pointing to the LDAP Web API server.
- Create a valid certificate (NOTE: SHA1 based certificates are being deprecated, read more here)
- Reuse from existing company policies
- Issue and manage a free certificate, for example, using Let's Encrypt, an easy way to is use Certify SSL Manager that supports IIS.
- Install a valid certificate on the IIS
- Make sure to redirect incoming HTTP calls to HTTPS (multiple possible solutions exists) - For example Require SSL
Restrict users by IP
The LDAP Web API is not authenticated and you may need to restrict by TCP/IP range.
Microsoft has detailed the instructions for configuring your IIS to restrict access by IP Address, please review the following user guide IIS 8.0 Dynamic IP Address Restrictions
Swagger
The LDAP Web API has Swagger support. This is available if you add /swagger
to the address. Access to the Swagger address is intended for developers, not end users.