Re: AD in the DMZ - Any thoughts on this scenario?

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 08/03/04 

Date: Tue, 3 Aug 2004 15:26:57 -0400

Trust No OneŽ wrote:
> Hi Folks,
>
> Appreciate input on this one.
>
> My company recently done a feasibility on implementing Windows 2003
> and AD in our internet facing DMZ. Basically an external consultant
> came in and produced a report. The report recommended setting up a
> separate AD forest spanning both our DMZ and internal network, with
> member servers sited in the DMZ subnets and the domain controllers
> located on the internal network. The appropriate ports are then
> opened on the corporate firewall to permit communication to/from the
> domain controllers, communications are secured via IPSEC.
>
> The consultant assured us that other corporate run similar
> configurations, the advantage being that administration of the AD and
> maintenance of the DCs is far easier as you won't need to cross the
> firewall; the domain controllers can be pointed at the internal DNS
> servers.

Ask him for a list of these corporations & the appropriate contacts at each.
I think this is BAD advice, myself. Your concerns below are quite valid. The
purpose of a DMZ is to prevent any traffic coming in from it to your LAN.
>
> Despite the assurances I'm troubled by the recommendation as
>
> a) It introduces the possibility (however small) of an intruder using
> the path to the domain controllers to hop from the DMZ into the
> internal network should he/she manage to comprise one of the internet
> facing member servers.
>
> b) Security rather than ease of administration should surely be the
> main consideration.
>
> c) ISTR RPC requires a significant range of ports to be opened? I
> know that the range of ports can be locked down to a defined range
> rather the default of dynamic, but a number of holes still need to be
> punched in order to permit communication to the domain controllers.
>
> I would have thought a completely separate DMZ forest with possibly a
> one way trust to the internal AD forest would be the more secure way
> to go. I am keeping an open mind at this stage however.
>
> Any thoughts or comments on the consultant's recommendation? Is
> anyone on the group successfully running with a split DMZ/Internal AD
> forest?
>
> Best Wishes

Relevant Pages

  • Re: FTP for internal users and external customers.
    ... Secure network architecture and authentication, ... the security boundary in AD is the forest ... Yet there's one thing that's not justified: putting the external user in DMZ ... any connections coming from the internet has to ...
    (microsoft.public.security)
  • Re: DMZ Services, Best Balance Between Security and Functionality, Comments?
    ... It depends where your DMZ is --- between what and what? ... If it's between your intranet and the Internet, ... > internal forest. ... All external users accounts in external ...
    (microsoft.public.win2000.security)
  • Re: AD in the DMZ - Any thoughts on this scenario?
    ... forest in a DMZ, not one that spans the DMZ and internal network. ... > in our internet facing DMZ. ...
    (microsoft.public.win2000.active_directory)
  • AD in the DMZ - Any thoughts on this scenario?
    ... in our internet facing DMZ. ... DMZ subnets and the domain controllers located on the internal network. ... should he/she manage to comprise one of the internet facing member servers. ... I would have thought a completely separate DMZ forest with possibly a one ...
    (microsoft.public.win2000.active_directory)
  • Re: Answers on practice exams wrong? question inside
    ... For the first question about forest trust, the option in the aswers is ... to "change the DOMAIN functional level". ... I answered to "Configure a root zone on the external DNS server" ... because I thought that as the question says, names of other Internet ...
    (microsoft.public.windows.server.active_directory)
Loading