For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mike_Finney_119's avatar
Mike_Finney_119
Icon for Nimbostratus rankNimbostratus
Sep 09, 2013

LDAP query for machine account?

I am still trying to flesh out our VPN solution but I am running into some issues with the client validation checks to fulfill security requirements. I would like to check to see if the remote client...
design
security
Mike_61719's avatar
Mike_61719
Icon for Cirrus rankCirrus
Sep 13, 2013

Mike, you might want to consider multiple verification processes in place to determine access and not rely upon a domain name ldap check. That isn't exactly the safest method ;)

 

In addition, I'm not sure if you're using the edge gateway or not but the i-rule isn't necessary. There are built in checks to make this work.

 

Mike_Finney_119's avatar
Mike_Finney_119
Icon for Nimbostratus rankNimbostratus
Sep 16, 2013
Hi Mike, Thanks for the reply. Not sure which built in checks you are referring to there, but we are on APM 11.4. I am doing several checks to try to validate the machine as being part of our domain, this is what I have currently. 1. pull the machine name as above, then do an LDAP query against the domain to see if the computer account is a member 2. do a client side registry check for this key: ""HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\internaldomain.lan" as it will only be populated after a successful GPO push with our domain policy that includes the IE trusted zones. 3. Finally, I do a process check for our client inventory/asset management software. If it is installed, then they can pass. I know it isn't perfect but I believe it is very very unlikely someone could fake all three simultaneously, and would require more effort than it would be worth.