Skip to main content

This article applies to Cloud.

Available in:

StandardPremiumEnterprise
Small Business
Code42 Support

Code42 User Directory Sync server hardening

This article applies to Cloud.

Available in:

StandardPremiumEnterprise
Small Business

Overview

To integrate your Code42 cloud environment with a directory service, you must configure the Code42 User Directory Sync feature. This means deploying Code42 User Directory Sync tool to a server within your organization's environment as well as configuring the administration console.

The steps below provide best practices for implementing additional layers of security when deploying this tool in your environment. 

Considerations

For any additional questions, contact your Customer Success Manager (CSM) for enterprise support at csmsupport@code42.com.

The Code42 User Directory Sync tool 
The Code42 User Directory Sync tool is packaged with a stand-alone Java Runtime Environment. This JRE is specific to User Directory Sync and will be updated with future releases of the tool.
  • Deployment: The JRE is extracted into a directory as opposed to fully installed on the operating system. As a result it will run as an intermittent process, not a service.
  • Patch Management: As this is a bundled JRE, it is recommended that this server is kept updated with standard patch management best practices.

Minimum supported operating systems

The system specifications listed below are the minimum requirements needed to successfully run the Code42 User Directory tool.

Windows

  • Windows Server 2012
  • 64-bit operating system

Linux

  • Either
    • RedHat Enterprise Linux 7.x 
    • Ubuntu 16.04 
  • 64-bit operating system

Deployment options

Virtual server

Code42 recommends deploying the Code42 User Directory Sync tool to a virtual server. Not only will this reduce your resources requirements, but then the tool is also abstracted from a physical machine. The virtualization hypervisor can be from any vendor so long as it supports:

  • Network-based communication
  • Java runtime
  • 64-bit execution environment

Physical server

Alternatively, the Code42 User Directory Sync tool can be deployed to a stand-alone, dedicated, minimal-resource server. We strongly recommend that the Code42 User Directory Sync tool is deployed to a different server than your Active Directory or LDAP server. 

Networking

Inbound connections

This tool does not need to receive inbound connections from any service in order to run. As a result, inbound connections that are not necessary for management should be blocked using the operating system's firewall or a third party networking tool.

Outbound connections

The UDS tool will need to make outbound connections to Code42 and your directory server. We recommend using encrypted ports whenever setting up these connections. The tool requires the following outbound connections are open: 

Port

Destination

443 (HTTPS)

Code42 cloud
636 (LDAPS) Your directory server

Permissions

For any permission controls, we recommend following the security principle of least privilege. This means that a person or process is given only the minimum level of access rights to complete an assigned operation. 

LDAP bind user

We recommend the directory bind user has read-only permissions to your directory, specifically within the search base for your target set of users.

OS service user

The operating system user account that will run the Code42 User Directory Sync tool should be given lowest-level permissions possible. The tool does not require administrative privileges to run.

Remote access user

It is recommended that no other users are able to remotely access this server (SSH or RDP) other than an admin if required.

  • Was this article helpful?