RE: DMZ and AD Authentication

From: JM (jm_at_mindless.com)
Date: 12/16/03

  • Next message: Shawn Jackson: "RE: heuristics, on or off?" 
    To: <jamesworld@intelligencia.com>, <Geoff.Shatz@pchelps.com>
Date: Tue, 16 Dec 2003 17:01:16 -0000

    I would recommend using some sort of reverse proxy for external
    authentication, and then permitting them users to access the AD for
    authentication.

    If you need more info contac me direct.

    Cheers
     

    -----Original Message-----
    From: jamesworld@intelligencia.com [mailto:jamesworld@intelligencia.com]
    Sent: 16 December 2003 02:57
    To: Geoff.Shatz@pchelps.com
    Cc: security-basics@securityfocus.com
    Subject: RE: DMZ and AD Authentication

    Geoff,

    I second what Shawn said. If you can avoid it...don't do it.

    If however, you are stuck with an order from up high.

    Connect to the AD box thru the firewall via IPSEC.

    If you use NIDS, however, this will blind it to any attack's that might come
    thru is the web server was compromised.

    I would recommend using the Cisco Security Agent (formerly Okena) on the web
    server.

    The other thing you could do is use a Cisco ACS server to front end the AD
    authentication and have the web server authenticate to the ACS via RADIUS or
    TACACS. You will need to code the RADIUS integration (unless you can find
    it somewhere :-)

    HTH,

    -James

    At 11:25 12/12/2003, Shawn Jackson wrote:

    > All you need LDAP access (TCP 389) to your Catalogue server.
    >Even if you lock down your connection to the AD box, if someone
    >compromises your IIS server they can gain a lot of information from
    >your server. When we used this method with C# .Net we needed to have
    >LDAP and Microsoft-DS (TCP 445) open to the server.
    >
    > Honestly, I would advise against placing a server in the DMZ
    >that will access any part of your AD infrastructure; it's just not
    >secure enough. If you absolutely had to authenticate with AD I'd
    >suggest creating a simple program (Webpage (ASP, CGI, and CF) or .Net
    >Service/Remote App that would take two parameters (Username and
    >Password) and return a value, then just parse that value to get your
    >logon result. Place that app on a 'non-critical' server and it will be
    >far more secure then accessing AD directly.
    >
    > I can give you the code I use to access AD in C# and suggested
    >implementation if you wish.
    >
    >Shawn Jackson
    >Systems Administrator
    >Horizon USA
    >1190 Trademark Dr #107
    >Reno NV 89521
    >www.horizonusa.com
    >
    >Email: sjackson@horizonusa.com
    >Phone: (775) 858-2338
    > (800) 325-1199 x338
    >
    >-----Original Message-----
    >From: Geoff.Shatz@pchelps.com [mailto:Geoff.Shatz@pchelps.com]
    >Sent: Friday, December 12, 2003 7:33 AM
    >To: security-basics@securityfocus.com
    >Subject: DMZ and AD Authentication
    >
    >We are in a situation where we are currently planning the move of our
    >web server from an externally hosted solution to hosting the web server
    >in house. As part of this move we will be implementing a new internal
    >application that will run on the web server that will require
    >authentication based on Active Directory account info. Obviously this
    >will require that the web server has the ability to communicate with
    >the AD domain controllers. That being the case will it still be
    >possible to place this web server on a DMZ or will the amount of open
    >ports required between the DMZ and LAN for the required authentication
    >process severely mitigate the benefits of placing the server in the DMZ
    >in the first place? Any and all suggestions and or strategies to
    >accomplish this in the most secure fashion are welcome and appreciated.
    Thanks!
    >
    >Geoff
    >
    >-----------------------------------------------------------------------
    >-
    >---
    >-----------------------------------------------------------------------
    >-
    >----
    >
    >
    >-----------------------------------------------------------------------
    >----
    >-----------------------------------------------------------------------
    >-----

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Shawn Jackson: "RE: heuristics, on or off?"

    Relevant Pages

    • Re: AD DMZ configuration
      ... What kind of authentication do client pass to the web server? ... I can only add groups from the LAN forest to ... I had hoped that by setting up the dmz forest, ...
      (microsoft.public.windows.server.active_directory)
    • RE: prompted for username, password on iis5 running xp pro
      ... >Server will negociated an authentication method. ... >an valid username/password, the username/password box ... >the web server will send the content to the client. ... >the Web Server in Windows 2000 Server and Windows XP Pro ...
      (microsoft.public.inetserver.iis.security)
    • Re: Securing Windows Media Encoder streams/broadcasts
      ... >>The security comment was in response to the previous posters comment about ... >>protecting a URL and feeding the video on a web site, ... > authentication system yourself - as the previous poster stated, ... your web server on the encoder client machine modifies the ...
      (microsoft.public.windowsmedia.encoder)
    • RE: website inside or outside the domain?
      ... it is better not to have domain authentication traffic ... publicly accessible web server in a DMZ, with a DC also in the DMZ ... > webserver is ... network) its not the best model to use. ...
      (Focus-Microsoft)
    • Re: Integrated Windows Authentication not working
      ... >>> only web site and no one is behind a proxy server. ... proxy server between the various user's ISPs and your web server? ... And you're sure that the authentication settings for the virtual ... directory that maps to the physical directory where the .asp files are ...
      (microsoft.public.inetserver.iis.security)