How to perform hardening on your Nodinite LDAP Web API
Make sure you only allow, and use the HTTPS protocol
We strongly recommend the usage of server-based certificates to enforce the use of the HTTPS protocol and for the protection of the privacy and integrity of data sent between the Client/Consumer and the LDAP Web API.
There is a slight performance overhead using HTTPS.
If you have a DNS/Alias name for your cert, you can use a Web Site and redirect using a binding (self signed certs do work, but are not recommended).
- Make sure to select HTTPS and port 443
- Select the certificate to use
The default SSL setting for IIS applications is not required.
You should check this checkbox. In order to do so, you must have installed a valid certificate, see section 'Install certificate'.
- Make sure the IIS server hosting the LDAP Web API has a static IP address (dynamic assignment of IP addresses requires some kind of dynamic DNS solution)
- Create a DNS record pointing to the LDAP Web API server.
- Create a valid certificate (Note: SHA1 based certificates are being deprecated, read more here)
- Install a valid certificate on the IIS
- Make sure to redirect incoming HTTP calls to HTTPS (multiple possible solutions exists) - For example Require SSL (#require-ssl)
The LDAP Web API is not authenticated and you may need to restrict by TCP/IP range.
Microsoft has detailed the instructions for configuring your IIS to restrict access by IP Address, please review the following user guide IIS 8.0 Dynamic IP Address Restrictions
Make sure only to access the Swagger page using HTTPS