Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » AD and DMZ setup - 2003
AD and DMZ setup - 2003 [message #160379] Wed, 26 August 2009 07:36 Go to next message
David Robson1  is currently offline David Robson1  United Kingdom
Messages: 5
Registered: August 2009
Junior Member
Hi,
I've got a domain which i'll call DomainA. It houses all my servers. 100+
I've got various subnets/vlans and a DMZ.
Web servers sit in DMZ. Web servers contact SQL servers in internal network.
This uses Windows AD accounts for authentication.
Domain controllers sit in internal network but communications ports open so
servers on dmz subnet can communicate.


I'm now reviewing my options for security (preferably maximum security).

I want to ensure that if someone compromises my web servers they cannot
compromise my AD structure which at the moment they could as the ports are
open.

Can anyone offer some help? I'm thinking a new Forest with a one way trust.
Call the new domain DomainB. Would DomainB trust DomainA. Would this mean AD
service accounts in DomainA could be used to run programs on DomainB but not
backwards?

Thanks,
Dave.
RE: AD and DMZ setup - 2003 [message #160399 is a reply to message #160379] Wed, 26 August 2009 16:31 Go to previous messageGo to next message
Garry Starck-MCITP En  is currently offline Garry Starck-MCITP En
Messages: 69
Registered: July 2009
Member
Hi David

What authentication requirements do these web servers have. eg: do you
require users from out side to login with user accounts in the domain. If so,
user ADAM or later to sync with AD, it can sit in the DMZ only sync'ing the
exact attribute sets required. ADAM will only have read rights to AD so
security is good then.

If the servers in DMZ need to be a member of a domain for single point
security, create another domain in a new forest called DMZ.LOCAL for lack of
better thoughts rights now. Set up selective trusts, not just one way only,
by selective trusts you have greater control over accessedd resources

--
Garry Starck
MCITP Enterprise Administrator, MCTS AD, MCSE 2003 Messaging, MCDBA


"David Robson1" wrote:

> Hi,
> I've got a domain which i'll call DomainA. It houses all my servers. 100+
> I've got various subnets/vlans and a DMZ.
> Web servers sit in DMZ. Web servers contact SQL servers in internal network.
> This uses Windows AD accounts for authentication.
> Domain controllers sit in internal network but communications ports open so
> servers on dmz subnet can communicate.
>
>
> I'm now reviewing my options for security (preferably maximum security).
>
> I want to ensure that if someone compromises my web servers they cannot
> compromise my AD structure which at the moment they could as the ports are
> open.
>
> Can anyone offer some help? I'm thinking a new Forest with a one way trust.
> Call the new domain DomainB. Would DomainB trust DomainA. Would this mean AD
> service accounts in DomainA could be used to run programs on DomainB but not
> backwards?
>
> Thanks,
> Dave.
>
>
>
Re: AD and DMZ setup - 2003 [message #160658 is a reply to message #160379] Thu, 03 September 2009 13:29 Go to previous message
JPolicelliMVPDS  is currently offline JPolicelliMVPDS
Messages: 4
Registered: August 2009
Junior Member
The general guideline, which I agree with, is to NOT allow DMZ/perimeter
network servers to communicate with domain controllers that are on the
internal network. From the sounds of it, your Web Servers are doing this.

I suggest you take a look at the following:
http://technet.microsoft.com/en-us/library/dd728034(WS.10).aspx. This will
give you some good guidance.

--

JPolicelli, MVP - Directory Services

http://www.policelli.com
http://policelli.com/blog

This posting is provided AS IS with no warranties and confers no rights.
Always plan and test.

----

"David Robson1" <DavidRobson1@nospam.com> wrote in message
news:uo4E1IlJKHA.3888@TK2MSFTNGP04.phx.gbl...
> Hi,
> I've got a domain which i'll call DomainA. It houses all my servers. 100+
> I've got various subnets/vlans and a DMZ.
> Web servers sit in DMZ. Web servers contact SQL servers in internal
> network. This uses Windows AD accounts for authentication.
> Domain controllers sit in internal network but communications ports open
> so servers on dmz subnet can communicate.
>
>
> I'm now reviewing my options for security (preferably maximum security).
>
> I want to ensure that if someone compromises my web servers they cannot
> compromise my AD structure which at the moment they could as the ports are
> open.
>
> Can anyone offer some help? I'm thinking a new Forest with a one way
> trust. Call the new domain DomainB. Would DomainB trust DomainA. Would
> this mean AD service accounts in DomainA could be used to run programs on
> DomainB but not backwards?
>
> Thanks,
> Dave.
>
>
Previous Topic:The target principal name is incorrect?
Next Topic:AD Last logon Time (Web Apps)
Goto Forum:
  


Current Time: Sat Jan 20 08:29:58 MST 2018

Total time taken to generate the page: 0.05266 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software