- 2 minutes to read

How to perform hardening on your Nodinite LDAP Web API

Make sure you only allow, and use the HTTPS protocol

Do use HTTPS

We strongly recommend the usage of server-based certificates to enforce the use of the HTTPS protocol and for the protection of the privacy and integrity of data sent between the Client/Consumer and the LDAP Web API.

There is a slight performance overhead using HTTPS.

If you have a DNS/Alias name for your cert, you can use a Web Site and redirect using a binding (self signed certs do work, but are not recommended).
Add Web Site

  1. Make sure to select HTTPS and port 443
  2. Select the certificate to use

Require SSL

The default SSL setting for IIS applications is not required.
Default SSL

You should check this checkbox. In order to do so, you must have installed a valid certificate, see section 'Install certificate'.

SSL Required

Install certificate

Internet Information Services (IIS) Server Certificate Installation Instructions

  1. Make sure the IIS server hosting the LDAP Web API has a static IP address (dynamic assignment of IP addresses requires some kind of dynamic DNS solution)
  2. Create a DNS record pointing to the LDAP Web API server.
  3. Create a valid certificate (Note: SHA1 based certificates are being deprecated, read more here)
    1. Reuse from existing company policies
    2. Issue and manage a free certificate, for example, using Let's Encrypt, an easy way to is use Certify SSL Manager that supports IIS.
  4. Install a valid certificate on the IIS
  5. Make sure to redirect incoming HTTP calls to HTTPS (multiple possible solutions exists) - For example Require SSL

Restrict users by IP

The LDAP Web API is not authenticated and you may need to restrict by TCP/IP range.

Microsoft has detailed the instructions for configuring your IIS to restrict access by IP Address, please review the following user guide IIS 8.0 Dynamic IP Address Restrictions

Swagger

The LDAP Web API has Swagger support. This is available if you add /swagger to the address. Access to the Swagger address is intended for developers, not end users.

Make sure only to access the Swagger page using HTTPS

Swagger