RE: AD in the DMZ . . . OK?

• Previous message: Alexandros Papadopoulos: "Re: upgrading to IE6 on w2k servers"
• Maybe in reply to: karl: "AD in the DMZ . . . OK?"
• Next in thread: Ansgar -59cobalt- Wiechers: "Re: AD in the DMZ . . . OK?"
• Reply: Ansgar -59cobalt- Wiechers: "Re: AD in the DMZ . . . OK?"
• Reply: Peter Van Eeckhoutte: "Re: AD in the DMZ . . . OK?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 30 Jul 2004 07:09:10 +0200
To: <security-basics@securityfocus.com>

Wouldn't using LDAP be a solution here? Every AD system is in fact also
an ldap server.

If the only thing needed is authentication with userid/password, then
this is fairly simple to do. A special group could be created containing
all users that are allowed to use this type of authentication. Using a
"ldap-read" user which has only read access to this group is pretty
secure I guess.

Regards,
Dieter

> -----Original Message-----
> From: Roger A. Grimes [mailto:roger@banneretcs.com]
> Sent: donderdag 29 juli 2004 4:51
> To: karl; security-basics@securityfocus.com
> Subject: RE: AD in the DMZ . . . OK?
>
> Karl, why I can't say I'm an expert on the subject, all I can
> say is to use caution and think about the risks that are
> involved (which you are already doing by sending out this
> email). If I were to expose any AD domain to the DMZ, I
> would take great pains to secure it using additional methods
> (i.e. IPSec, SSL with client authentication certificates,
> VPN, RRAS, Network Access Quarantine Control, etc.) to secure
> and authenticate the communication channel. For a couple of
> reasons:
>
> 1. First AD with W2K and above, likes to use Kerberos as the
> default user authentication protocol. Kerberos is
> significantly stronger than its predecessors (LM, NTLM, and
> NTLMv2). If users connect to your AD on the DMZ and don't
> have a secure VPN tunnel that supports Kerberos, then they
> will connect using one of the earlier protocols, all of which
> have been successfully attacked using brute force methods.
> Unless you have LM hashing turned off, I maybe able to
> capture LM password hashes in the traffic and compromise passwords.
>
> 2. Unless you have SID filtering turned on, it may be
> possible for a lesser authenticated security principal
> account (other requirements
> apply) to elevate their privileges using the SID History trick.
>
> 3. Unless you have your anonymous enumeration permissions
> set securely, a remote hacker may be able to enumerate your
> AD objects.
>
> 4. If I was a malicious hacker and I knew you were
> authenticating your network user accounts on your DMZ, I
> would try my best to successfully compromise your DMZ and
> sniff traffic.
>
> This is just a few things I would worry about. A secure
> communication's tunnel and/or a properly designed .NET app
> can minimize the risk. So the real answer is that yes,
> putting AD on the DMZ elevates your risk of compromise, but
> that elevated risk can be minimized by taking additional
> countermeasures. And security risk is always just a
> cost/benefit trade off.
>
> Roger
>
> **************************************************************
> **********
> ***
> *Roger A. Grimes, Banneret Computer Security, Computer
> Security Consultant *CPA, CISSP, MCSE: Security
> (NT/2000/2003/MVP), CNE (3/4), A+
> *email: roger@banneretcs.com
> *cell: 757-615-3355
> *Author of Malicious Mobile Code: Virus Protection for
> Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode
> *Author of upcoming Honeypots for Windows (Apress)
> **************************************************************
> **********
> ****
>
> -----Original Message-----
> From: karl [mailto:opium@runningriver.co.uk]
> Sent: Wednesday, July 28, 2004 6:49 AM
> To: security-basics@securityfocus.com
> Subject: AD in the DMZ . . . OK?
>
> Hello
>
> One of the developers I work with has come up with a wild and
> crazy notion to write a .NET app that sits on a DMZ Web
> server but gets user information from the Active Directory on
> the other side of the firewall..
>
> I'm inexperienced with this, so did some research and found
> that this kind of thing is possible (plenty of articles on
> putting Exchange servers in the DMZ), but found myself
> wondering if this ever happens, i.e. do people actually have
> their networks set up this way? Do folk expose/replicate AD
> to the DMZ in practice?
>
> It's all very well that this stuff is possible, but if it's
> perceived as insecure and not implementable in the real world
> . . . . . . .
>
> Thanks for any advice . . . . .
>
> Karl
>
>
> --------------------------------------------------------------
> ----------
> ---
> Ethical Hacking at the InfoSec Institute. Mention this ad and
> get $545 off any course! All of our class sizes are
> guaranteed to be 10 students or less to facilitate one-on-one
> interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of
> in-the-field pen testing experience in our state of the art
> hacking lab.
> Master the skills of an Ethical Hacker to better assess the
> security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------
> ----------
> ----
>
>
>
>
> --------------------------------------------------------------
> -------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and
> get $545 off any course! All of our class sizes are
> guaranteed to be 10 students or less to facilitate one-on-one
> interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of
> in-the-field pen testing experience in our state of the art
> hacking lab. Master the skills of an Ethical Hacker to better
> assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------
> --------------
>
>

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Previous message: Alexandros Papadopoulos: "Re: upgrading to IE6 on w2k servers"
• Maybe in reply to: karl: "AD in the DMZ . . . OK?"
• Next in thread: Ansgar -59cobalt- Wiechers: "Re: AD in the DMZ . . . OK?"
• Reply: Ansgar -59cobalt- Wiechers: "Re: AD in the DMZ . . . OK?"
• Reply: Peter Van Eeckhoutte: "Re: AD in the DMZ . . . OK?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]