You are spot on you can control.access.to.the service endpoint.via Windows firewall rule but not the authentication creds passed from the endpoint that is authorized. This would reduce the attack.surface but not eliminat.the attack.altogether
Ed On Aug 27, 2015 11:21 AM, "Christopher Bodnar" <[email protected]> wrote: > Got a request from our security group. New application, that will connect > to AD to do some provisioning functions (adds, deletes, modifications, > etc…). They want to know if we can restrict the service account by IP > address. The thinking is that if the account and password got compromised, > that if it was restricted to only being allowed from one IP address it > would reduce the attack surface. I’m not aware of a way to do this in AD. > Even with NAP and NPS, I don’t think you could really do this. As > compensating controls we will remove the ability to logon locally or > through terminal services like we do with other service accounts. > > > > Any suggestions? > > > > Thanks, > > > > > > > > *Christopher Bodnar* > Enterprise Architect II, Corporate Office of Technology:Enterprise > Architecture and Engineering Services > > Tel 610-807-6459 > 3900 Burgess Place, Bethlehem, PA 18017 > [email protected] > > > > > * The Guardian Life Insurance Company of America* > > * www.guardianlife.com <http://www.guardianlife.com/>* > > > > > > ------------------------------ > ----------------------------------------- This message, and any > attachments to it, may contain information that is privileged, > confidential, and exempt from disclosure under applicable law. If the > reader of this message is not the intended recipient, you are notified that > any use, dissemination, distribution, copying, or communication of this > message is strictly prohibited. If you have received this message in error, > please notify the sender immediately by return e-mail and delete the > message and any attachments. Thank you. >
