How Can Live LDAP Lookup Login Credentials Be Encrypted?


Article ID: 159516


Updated On:


Data Loss Prevention Enforce


Encryption of Live LDAP Lookup login.


Currently, Symantec DLP does not store the LDAP key encrypted. There is an enhancement filed for this feature under PM-781. However, there might be a workaround that could be put in place to ensure that this file is not read by outside sources.

This is not a supported or certified procedure within Symantec DLP products and must be tested by the client to assess whether or not this fulfills the requirements of the client. Windows EFS could make the properties file more secure against some threats, and would not require a Symantec DLP product enhancement. It would protect the file against being read straight off the disk or being read by any user, other than the protect user and perhaps the local administrator account.

To encrypt the file under EFS, the client must run the following "cipher" command from the command line:

cipher /e /a Vontu\Protect\config\

In Windows XP and later, you can further protect against access by the local Administrator by using a SYSKEY that is either typed in at start up or stored on a floppy, with the caveat that you then must protect that floppy/PostIt note, and make sure it is available any time the server needs to be restarted.

For more information, see