RE: website inside or outside the domain?

From: Gabriel Aguilera (gabriel@unicraft.com)
Date: 02/11/03

  • Next message: Sarbjit Singh Gill: "RE: website inside or outside the domain?" 
    Date: Mon, 10 Feb 2003 20:21:28 -0300
From: "Gabriel Aguilera" <gabriel@unicraft.com>
To: "Chris W. Parker" <cparker@swatgear.com>, <focus-ms@securityfocus.com>

    Hi Chris,

    Don’t think of it as "joining" in to the domain, which is not a very
    good practice anyway... think of it as TRUSTING the inner (users)
    domain.

    What I think you should do with your web server if you need any sort of
    user validation is to build a second domain in the DMZ, lets say, your
    web and 2nd tier database. This domain should trust your internal domain
    and that way you can use the same users as you do in the inside of the
    company. Remember that trusts don’t work in the direction you build
    them... that means that if you build the trust from your DMZs domain to
    the inside, the inner users will be trusted in the DMZ's domain, but if
    for some strange reason your box gets compromised, the users in that box
    won't be trusted in the inside of your company.

     

    Let me know if you need any further help.

     
    Regards,
    Gabriel
     
     

            -----Original Message-----
            From: Chris W. Parker
            Sent: Mon 10-Feb-03 3:23 PM
            To: focus-ms@securityfocus.com
            Cc:
            Subject: website inside or outside the domain?
            
            

            Hello.
            
            Is it a better practice in general to join a webserver to a
    domain or to
            leave it in it's own workgroup?
            
            The reason I ask is because managing the permissions on the
    webserver is
            made difficult since I don't have access to the domain users and
    groups.
            That is, (as far as I know) I cannot add a domain group (i.e.
            DOMAIN\weborders) to a resource on the webserver. Instead I have
    to make
            a group locally on the webserver that mimics the group (and
    users in
            that group) on the domain.
            
            Another reason I would like to join the webserver to the domain
    is
            because I could turn off Anonymous Access and force the users to
    login.
            BUT I am imagining their domain credentials would automatically
    be
            passed to the intranet site thus logging them in automagically.
    I would
            then have access to their username's from within my .asp pages.
            
            The only reason I have not joined the server to the domain yet
    is
            because I am not sure what sorts of negative side effects there
    might be
            that I don't know about.
            
            
            Can anyone shed any light on these situations and/or offer
    alternatives?
            
            
            Thanks,
            Chris.