LDAP Firewall: Guarding Your Active Directory with Open-Source Protection

LDAP Firewall

LDAP Firewall is an open-source tool for Windows servers that lets you audit and restrict incoming LDAP requests. Its primary use cases are to protect Domain Controllers, block LDAP-based attacks, and tightly control access to the Active Directory schema (e.g. enforcing read-only access for users). The tool is written in C++ and makes use of the Microsoft Detours and JsonCpp packages.

Main Features

  • Allow / block incoming LDAP queries based on different parameters (operation type, source IP, user, DN etc.)
  • Event logging for LDAP queries

How It Works

The LDAP Firewall inspects incoming LDAP operations (which are used to read or modify entries in the AD schema) and allows or blocks the request based on the configured rules.
The operation also gets written into the Windows Event Log with the LDAPFW action and other relevant fields (Distinguished Name, attributes, OID, etc.).

SharpHound unable to obtain entities from LDAP

Who is this made for?

  • Security Engineers who want to control LDAP access and achieve a Least Privilege model
  • Threat Hunters and SOC analysts who want to be create detections and perform investigations around LDAP
  • Security Researchers who want to explore and deepen their understanding of the protocol

How LDAP Firewall works

The LDAP Firewall is built from 3 main components:



Main executable which loads the configuration, sets up the environment and injects the firewall into lsass.exe (the main Windows process which enforces the security policy and handles LDAP connections in Windows servers).



The actual LDAP Firewall code, which detours the internal Windows LDAP functions in order to manage and audit LDAP requests.



Handles writing audit messages to the Windows Event Log, which are written to Application and Services Logs\LDAPFW.

Install & Use