Re: Active Directory and IIS on production servers, and clustering

From: Thor (Hammer of God) (thor_at_hammerofgod.com)
Date: 10/31/05 

To: "David LeBlanc" <dleblanc@mindspring.com>, "'Jim Stagg'" <jstagg@sprich.com>, "'Focus-MS'" <focus-ms@securityfocus.com>
Date: Mon, 31 Oct 2005 10:09:35 -0800

----- Original Message -----
From: "David LeBlanc" <dleblanc@mindspring.com>
To: "'Jim Stagg'" <jstagg@sprich.com>; "'Focus-MS'"
<focus-ms@securityfocus.com>
Sent: Sunday, October 30, 2005 3:20 PM
Subject: RE: Active Directory and IIS on production servers, and clustering

> Next, consider the possibility of trusts to the internal domain. In most
> cases, unless there is some pressing business need to make a trust, I
> would
> _not_ establish a trust between the DMZ domain and the internal domain,
> but
> if I did, I'd make sure and use Win2k3 DCs and make it a limited trust.
> Additionally, if I had to create a trust out into the DMZ, I'd strongly
> consider making 2 DMZs so that I could watch the one with the trust very,
> very carefully.

Just to elaborate, if one *did* decide to implement such a trust model
(Which, I too would *not* recommend doing) it should be an external, one
way, nontransitive trust to a domain in a separate forest. I'm sure that's
what you had in mind, but I think it's important to be specific about these
things, particularly when discussing trusts between a DMZ domain and an
internal domain.

The logical boundary might be the domain, but the true security boundary is
the forest. I know you know that, but we need to say it.

I'm all up for a separate forest/domain for the DMZ- It is standard practice
for me. But I can't honestly think of a good reason to go through all the
trouble of a trust, even if external, between the internal and DMZ domains.
Yikes- it gives me the shivers just considering such a thing... The needed
firewall ruleset alone is too much exposure if you asked me... When you can
securely administer the DMZ via RDP and do so with no static rules (outbound
only 3389 or whatever) and an isolated AD, why risk it??

t

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Relevant Pages

  • Re: DNS in DMZ
    ... > forest in the DMZ. ... There will be no trust relationships whatsoever ... admin on the internal domain will ... > need to access servers in the DMZ and DMZ servers will have to access ...
    (microsoft.public.windows.server.dns)
  • Re: Forest Trust between Production & DMZ
    ... >> more vulnerable, external, then we are speaking of the trust ... If your DMZ gets whacked, ... To avoid the Swiss-cheese affect on the firewall, ... > Network segregation was a good thing at times when Internet Protocol was ...
    (microsoft.public.windows.server.security)
  • Re: Access denied on network share in an other domain
    ... Leaving aside the idea of the Trust for a moment, the idea is that hosts in the DMZ should have no or limited access to the LAN. ... It sounds as though what you would do is to copy out your data from the internal network to the DMZ. ... The copy needs to use credentials that the DMZ recognises, e.g a local account on the DMZ server, or else you can use a one way trust where DMZ servers trust internal server. ...
    (microsoft.public.windows.server.security)
  • Re: HIPAA and DMZ
    ... auditors seem to think otherwise and they even stipulate using DMZ ... > Here is the problem I am facing with a trust. ... > Once a file gets populated in that shared folder the DTS package will run ... >>> partners connect to Internet appas, ...
    (microsoft.public.security)
  • RE: Active Directory and IIS on production servers, and clustering
    ... > the Microsoft-supported position (DB in the secured network ... DMZ, it makes sense to have a DMZ domain just in order to be able to easily ... cases, unless there is some pressing business need to make a trust, I would ... WRT putting IIS and a DC together, back in IIS 5.0 days, yes, that was a ...
    (Focus-Microsoft)