Forum Search: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Re: One-way Trust Security Issues
Re: One-way Trust Security Issues [message #337283] Mon, 07 December 2009 07:31
Larry W.  is currently offline Larry W.
Messages: 1
Registered: December 2009
Junior Member
Does Microsoft have a recommendation for this. There is debate within my
company regarding best way to configure this. The two optins below are being

Option 1 is to use a site to site VPN through the firewall. This could
become expensive (setting up a VPN) and difficult to administer - especially
if you extend this to multiple locations. However it provides the best
security over the Internet.

Option 2 is to allow the AD replication over the Internet (with the swiss
cheese firewall rules). This scenario allows Netbios and TCP high ports
through the firewall, which is a security concern. But by restricting this to
a single source IP address mitigates the risk. We still have the potential of
a man in the middle spoofing attack, but anyone scanning the firewall from
the Internet would not see these ports open because they would not be
scanning from the source IP.

This is less secure than option 1 but less complex and less expensive. Is it
secure enough?

Larry W.

"Jorge Silva" wrote:

> Hi
> Opening the DMZ for internal communication may not be a good idea depending
> of many other things... Generally (in some accetable scenarios) you may use
> IPSec with Certificates for comunications, some use VPN, others use
> dedicated vlans, etc... This is not a simple question because may depend of
> many other things that we are not aware.
> --
> I hope that the information above helps you.
> Have a Nice day.
> Jorge Silva
> MCSE, MVP Directory Services
Previous Topic:Auditing enable new and old values
Next Topic:Domain Controllers security policy
Goto Forum:

Current Time: Tue Jan 23 16:37:45 MST 2018

Total time taken to generate the page: 0.21739 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software