CISSP lens: Pick answers that align business risk, governance intent, and practical control execution.
Why this matters
Directory services like Active Directory sit at the center of identity for many organizations. If attackers compromise the directory, they effectively own your environment. Understanding how directories and LDAP work, and how to secure them, is critical for both CISSP success and real world security.
Core concept
A directory service is a specialized database that stores information about users, groups, computers, and other resources. It provides a central place to locate and manage these objects.
Directory architecture
Common directory technologies include:
- LDAP directories such as OpenLDAP
- Microsoft Active Directory for Windows networks
- Cloud directories such as Azure AD and managed LDAP services
Directories:
- Store objects like user accounts, groups, and policies
- Provide search capabilities to find and retrieve information
- Act as the authoritative source for many authentication and authorization decisions
LDAP basics
The Lightweight Directory Access Protocol (LDAP) is the standard protocol many directories use.
Key operations:
- Bind: Authenticate to the directory
- Search: Look up objects and attributes
- Add, modify, delete: Change entries in the directory
Security issues arise when binds and queries are not protected or validated.
Securing LDAP communications
Unsecured LDAP on port 389 may transmit credentials in cleartext. To protect against eavesdropping, use:
- LDAPS: LDAP over TLS, typically on port 636
- StartTLS: Upgrade an existing LDAP connection to use TLS
In both cases, the goal is to encrypt the connection before sending any credentials or sensitive data.
LDAP injection
LDAP queries often incorporate user input. If that input is not sanitized, attackers can manipulate the query structure, similar to SQL injection.
Example:
- Application builds a filter like `(uid=" + userInput + ")`
- If userInput contains special characters or crafted patterns, the filter can be altered to bypass checks
Prevent LDAP injection by:
- Using parameterized queries or safe APIs
- Validating and escaping input
- Restricting what attributes can be queried based on user input
Active Directory security
Active Directory adds several layers beyond pure LDAP:
- Group Policy for centralized configuration
- Authentication using Kerberos and NTLM
- Trust relationships between domains and forests
Securing AD involves:
- Protecting domain controllers physically and logically
- Implementing tiered administration, where admin accounts for higher tiers are used only on systems at that tier
- Limiting domain and enterprise admin memberships
- Monitoring for suspicious replication, privilege escalation, and abnormal changes
Hybrid and cloud directories
Many organizations now use hybrid environments where on premises AD synchronizes with cloud directories.
Security considerations include:
- Securing synchronization channels
- Managing where identities are mastered and how attributes flow
- Applying consistent policies across on premises and cloud
CISSP lens
Domain cross-reference
For CISSP, directory services appear in Domain 5 and others.
Important points:
- LDAP is the protocol, Active Directory is an implementation that also includes Kerberos, Group Policy, and more.
- Encrypted LDAP (LDAPS or StartTLS) is required to protect credentials in transit.
- LDAP injection is a security risk that must be mitigated just like SQL injection.
- Domain controllers are critical infrastructure that require strong protection and monitoring.
You may be asked to recommend controls for securing directory services, or to recognize insecure LDAP configurations.
Real world scenario
A web application used LDAP binds against Active Directory to authenticate users. The application connected over port 389 without TLS and built LDAP filters by concatenating user input.
An attacker on the same network segment captured traffic and extracted several usernames and passwords in cleartext LDAP binds. They used those credentials to log in as valid users.
Separately, another attacker discovered that the login filter could be manipulated, allowing them to authenticate without knowing a valid password.
After these issues were discovered, the organization:
- Required LDAPS for all LDAP connections and disabled simple binds over unencrypted channels
- Updated the application to use parameterized LDAP queries and strict input validation
- Restricted which attributes the application could access
- Monitored directory logs for unusual bind patterns and failed authentication attempts
Directory attack paths attackers love
Beyond protocol-level issues, attackers exploit the directory's own configuration. Four patterns account for most real-world Active Directory compromises:
| Attack path | How it works | Defense |
|---|---|---|
| DCSync abuse | An account with replication rights requests password data the way a domain controller would, harvesting every hash in the domain | Audit who holds replication permissions; alert on replication requests from non-DC systems |
| Unconstrained delegation | A compromised server trusted for delegation caches the tickets of every user who connects, including admins | Eliminate unconstrained delegation; use constrained or resource-based delegation; mark sensitive accounts as not-delegatable |
| ACL misconfiguration | Write or reset-password rights on privileged objects granted to broad groups, creating invisible escalation chains | Regularly map effective permissions on privileged objects with path-analysis tooling and prune |
| Stale and orphaned objects | Forgotten accounts, old trusts, and unused service accounts with weak passwords provide quiet entry points | Lifecycle hygiene: disable on inactivity, review trusts annually, inventory service accounts with owners |
The shared lesson: the directory's configuration is an attack surface in its own right. You can encrypt every LDAP bind and still lose the domain to a delegation setting from 2014.
What good directory monitoring looks like
Directory logs are voluminous, so effective monitoring concentrates on a short list of high-signal events: changes to privileged group membership (any addition to domain or enterprise admin tiers should page someone), changes to the audit policy or GPOs that apply to domain controllers, replication requests from unexpected sources, service ticket request anomalies suggestive of Kerberoasting, mass account lockouts or password resets, and authentication from dormant accounts.
Two operational habits separate mature shops from the rest. First, baseline before you alert: a week of observing normal replication, delegation, and admin behavior turns noisy rules into precise ones. Second, treat the directory as tier-zero infrastructure in your incident plans: a suspected domain controller compromise is not a normal incident, and the recovery plan (including offline backups of the directory and a tested forest-recovery procedure) needs to exist before the bad day, because rebuilding identity for the whole organization is the single longest critical path in any major breach recovery.
Common mistakes
Allowing simple binds over unencrypted LDAP so credentials are exposed to anyone who can sniff the network.
Assuming directories are internal only and not hardening them as critical assets.
Ignoring LDAP injection risks in custom applications.
Granting overly broad permissions to service accounts used for directory access.
Exposing domain controllers to untrusted networks or placing them in vulnerable network segments.
Actionable checklist
- Audit all LDAP connections to verify they use LDAPS or StartTLS. Disable unencrypted simple binds.
- Review custom applications that query LDAP for input validation and resistance to LDAP injection.
- Implement a tiered administration model in Active Directory and limit high privilege group memberships.
- Restrict network access to domain controllers to necessary management and application servers only.
- Enable and review directory service audit logging, including changes to critical groups and policies.
- For hybrid environments, secure synchronization with strong authentication and encryption, and document which system is the authoritative source for each identity attribute.
Key takeaways
- Directory services are the authoritative source of identity information and must be protected accordingly.
- LDAP communications must be encrypted to prevent credential disclosure.
- LDAP injection attacks are preventable through proper input handling.
- Active Directory security requires protecting domain controllers, controlling privileged groups, and monitoring for abnormal changes.
- Hybrid directory setups introduce new attack surfaces that need careful design and monitoring.
Exam-style reflection
Question: An application authenticates users by binding to an LDAP directory with their username and password over port 389 without TLS. What is the primary security risk, and what control should be implemented first
Answer: The primary risk is that credentials are transmitted in cleartext, allowing attackers with network access to capture usernames and passwords. The first control should be to require encrypted LDAP, using LDAPS or StartTLS, for all binds so that credentials are protected in transit.
Keep learning: Physical Access Control Systems, CISSP Domain 5 Exam Scenario Deep Dive.
This article is part of the CISSP Domain 5: Identity and Access Management study guide. Use the pillar to navigate every article in this domain.
