search cancel

Encryption Management Keyserver service is enabled by default

book

Article ID: 214468

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

The Encryption Management Server Keyserver service allows remote lookups of PGP public keys and S/MIME certificates over LDAP (port 389) and LDAPS (port 636) either from the internal network or over the Internet.

It is enabled by default.

However, for many environments, it is not needed. Best security practice is to reduce the attack surface by disabling services that are not required.

Note that Encryption Management Server 10.5 MP2 was patched to mitigate CVE-2020-25692 which affects the Keyserver service. See article 157729 for further details.

Environment

Symantec Encryption Management Server 3.4.2 and above with the Keyserver service enabled.

Resolution

By default, Encryption Desktop clients do not use the Keyserver service in order to lookup keys. Instead, all key lookups are done over HTTPS. Managed installations of PGP Command Line also search for keys over HTTPS by default.

The Keyserver service is required only if:

  1. Remote Internet hosts are permitted to search for keys or certificates on the Encryption Management Server.
  2. Unmanaged installations of PGP Command Line search for keys on the Encryption Management Server using LDAP or LDAPS.
  3. Third party applications search for keys or certificates on the Encryption Management Server using LDAP or LDAPS. For example, the Outlook LDAP Address Book.

To disable the Keyserver service:

  1. Log into the administration console.
  2. Click on Services.
  3. Click on Keyserver.
  4. Click on the Disable button.

Note that disabling the Keyserver service will not prevent Encryption Management Server searching for keys on remote hosts such as PGP Global Directory using LDAP or LDAPS, providing this is permitted by the organization's firewall.

If remote Internet hosts are permitted to search for keys on the Encryption Management Server, it is possible to restrict such access by source IP address or range. However, restricting access and still running a public key server are clearly incompatible objectives:

  1. Log into the administration console.
  2. Click on Services.
  3. Click on Keyserver.
  4. Click on the Restrict Access button for port 389 (LDAP).
  5. Enable the option Enable Access Control for Connector.
  6. Select whether to block or allow addresses.
  7. Enter the IP addresses or address ranges to block or allow.
  8. Click the Add button.
  9. Click the Save button.
  10. Repeat the process for port 636 (LDAPS).

 

 

Note on Keyserver service "Stopped", but enabled: If you do use the Keyserver service and you have the service enabled, but the service is stopped, make sure all the PGP services are running.  If they all are, then check the System, Network tab to ensure a proper TLS certificate has been assigned and if not, assign one.  Once this has been done, restart services and the keyserver service should be working again. 

Attachments