A security analyst is hardening a server with the directory services role installed. The analyst must ensure LDAP traffic cannot be monitored or sniffed and maintains compatibility with LDAP clients.
Which of the following should the analyst implement to meet these requirements? (Select two.)
A.
Generate an X.509-compliant certificate that is signed by a trusted CA.
B.
Install and configure an SSH tunnel on the LDAP server.
C.
Ensure port 389 is open between the clients and the servers using the communication.
D.
Ensure port 636 is open between the clients and the servers using the communication.
E.
Remote the LDAP directory service role from the server.
If we use SSH to encrypt LDAP traffic port will remain 389, isn’t it?
If we use SSL\TLS to encrypt LDAP we need 636 port and certificate.
https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
So, it seems that A&D are correct.
5
0
I think the answer is correct this time:
https://support.microsoft.com/en-ca/help/321051/how-to-enable-ldap-over-ssl-with-a-third-party-certification-authority
0
2
A&D
https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
4
0
A & D. port 636 is ldap over ssl/tls, which in turn needs x509 certificate to operate
4
0
– LDAP uses port 389
– LDAPS uses port 636
So I still must use LDAP, yet this protocol must be “hardened”.
This means that I must use LDAP over TLS/SSL, which as seen is LDAPS.
An SSL-encrypted LDAP integration (LDAPS) communicates over TCP on port 636 by default, This communication channel requires a certificate.
The certificate required is in fact the X.509 certificate.
So the answer is A & D
7
0