Security considerations
June 29, 2024 at 4:56 AMBefore you start to configure the Next Active Directory Integration plug-in you must carefully read this section.
After you have succeeded the configuration, please read this section again and compare your WordPress environment with the given hints on this page. Make sure that have understand the impact of this WordPress plug-in to your network infrastructure. If you are not sure what these things means please contact us so that we can provide you professional support.
Introduction
Every software has bugs and must be threatened as evil. Although we are not aware of any security bugs in NADI we must assume that they are present. Due to its nature, NADI must be seen as a primary target to gain access to your internal network and systems. There are some rules which can reduce possible security threats drastically.
Obscurity
Please follow the next rules to reduce common attack vectors:
-
If you have to use NAT to connect NADI with your internal Active Directory through a firewall you should use DNAT to change the port TCP/389 on your firewall to any random number larger than 1024. This is not a real security feature but a simple port scan will not detect the open port.
-
To minimize hacking attempts into your WordPress installation you should change your default path for /wp-admin to something your users can remember but is not so easy to guess for attackers. Do not put a link to your login page on your website.
-
Do not expose any internal information on the WordPress login page like “Please login with your username@$MYDOMAIN.$INTERNAL”
Policies
Users
- Users belonging to administrative security groups like Domain Administrators should never be synchronized nor be able to log into your WordPress installation.
- If you want to use the Sync to WordPress feature please create a dedicated service account in your Active Directory which has only read and no write permissions.
- If you want to allow to write user attributes from your WordPress instance back into your Active Directory you should execute the synchronization with the user’s credential and not through the Sync to AD user. If the Sync to AD user credentials get exposed your attacker gains read and write access to all the users in your Active Directory. If only the user’s accounts is comprised the attacker is restricted to his data.
Passwords
- Choose a strong password policy
- Choose random passwords
- Enable Next ADI’s Brute Force Protection
Restrictions
Restrict access to critical endpoints on a per-IP basis:
- If possible restrict the access to the WordPress administration area to your company network IP address range by using firewall rules or restrictions in your WordPress front-end proxy.
- If you have to use DNAT for connecting your WordPress to your Active Directory, restrict the access to the open firewall port on a per-IP basis.
- If you use a VPN restrict the access from your webserver endpoint to the IP and port of your Active Directory. Do not allow any other target addresses or ports!
Encryption
By any means do not use an unencrypted LDAP connection between WordPress and Active Directory! Use either StartTLS or LDAP/S with TLS encryption/certificates. In addition to that your WordPress instance must be using HTTPS to encrypt the connection between your clients and the webserver.
AUTH_SALT
salt
WordPress Each password used by NADI (e.g. passwords for service accounts) is encrypted with help of WordPress’ AUTH_SALT
salt. There might come the time, that you have to change that AUTH_SALT
. Please take a look into our FAQ entry, how to deal with that situation.