Re: internal domain credentials to access DMZ resources

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance


Thanks very much for your responses. I think I'll try out the following two
sceanrios.

SCENARIO 1
- Create a new forest in DMZ, and let DMZ forest trust LAN forest 1 way.
- join web, NAS, and SQL servers to DMZ forest
- add permissions for LAN users/groups to access resources on DMZ member
servers
- set permissions on DMZ member servers to use DMZ forest user accounts

The 1 issue I am concerned with regards AD authentication for the DMZ
servers when a LAN user connects. Do DMZ servers query LAN AD servers through
the firewall? I know that opens almost every tempting port to a Windows
server. Also in establishing trust, how much access to the DMZ AD servers
need to LAN AD servers? Seems like this is going to ultimately expose LAN AD
data to the DMZ.

SCENARIO 2
- move NAS and SQL servers into the LAN and make them member servers of our
corp domain
- leave the web servers as stand alone in the DMZ and allow them explicit
access to NAS and SQL through firewall only on necessary ports

My only concern here is the performance hit our application may take as it
requests all of its data through the firewall.

Your help so far in narrowing options has been great. Any further insight or
opinions on these options would be much appreciated as well. Thanks again.

John C

"Paul Williams [MVP]" wrote:

I'd like to know what might be wrong with IIS in this scenario that
weakens defenses. We have two stand alone IIS servers in an NLB cluster.
They host about 1000 websites and push less than 3GB per day of traffic.
They contact the NAS & SQL constantly on almost every page.

Although considerably more secure now, than in the past, if IIS is setup
incorrectly there are a number of exploits that allow attackers to run code.
If the IIS server is a member of a domain, depending on the context that the
attacker is able to run the code under, there are some nasty possibilities
if the attacker knows his/ her stuff.

If you have your IIS servers setup in an optimum way, and have them patched
up to date, then this probably isn't an issue. I just wanted to warn you,
from a security standpoint, that there *could* be an issue.


We just invested in a new firewall, non ISA. We won't have ISA available
anytime soon, for better or worse.

Ah well, you probably can't do the publishing then.


What chores are the member Intranet servers doing? I don't understand what
the work and and costs might be here.

Our applications guys run this stuff, so I'm not sure, but basically we host
a separate intranet, even if content is duplicated, internally. The work
and cost would be in maintaining two instances of the same, or similar,
content (obviously there's additional stuff on the inside than the out).


Possible to set this up without ISA? That would give me the shared NTFS
permissions on all systems, and allow me to add internal users/groups to
those resource shares.

Yes. I tend to setup our ISA deployments in a similar way. What you do
here is create a new forest, e.g. domain-name.dmz and add the SQL and IIS
boxes to this domain. You then establish a one way trust between the two
domains (DMZ trusts INT) and grant permissions to the web and/ or SQL to the
internal people.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net



.

Relevant Pages

  • Re: Correct routing/DNS config for dual-homed 2000 svr
    ... Your DMZ Servers should have one NIC that is connected to your firewall ... specified traffic in/out of of your DMZ and LAN. ... We have two internal DNS machines and are ...
    (microsoft.public.win2000.networking)
  • Re: Is there such thing as a multiple external IP to Lan IP firewall/router???
    ... >>the Pro 100 for public webservers, ftp servers etc. because of the DMZ ... >>client on a local LAN so I can do updates to the website quickly on the ... In my case my webserver is a standalone server two NICs, ...
    (comp.security.firewalls)
  • Re: Man gets nine years for spamming
    ... Here is the problem with blocklisting countries. ... away from windows if possible to anything on your DMZ. ... No. DMZ resources do not equate to LAN resources. ... The servers in the DMZ SHOULD NOT be dual homed back ...
    (alt.computer.security)
  • Re: Perimeter Firewall/UTM Suggestions?
    ... and out to/from our servers. ... Allow the internal and DMZ interfaces to work in either NAT or Route ... The basic scenario is that outbound access for our LAN users would be ...
    (comp.security.firewalls)
  • Re: Real IPs
    ... First, I'm assuming you have servers which serve incoming ... connections from the internet. ... How you configure your DMZ is up to you, ... Iptables masquerades your lan traffic for you. ...
    (linux.redhat)