RE: AD in the DMZ . . . OK?
From: Handy, Mark (IT) (Mark.Handy_at_morganstanley.com)
Date: 07/30/04
- Previous message: Rocky Heckman: "RE: fax software in the domain"
- Maybe in reply to: karl: "AD in the DMZ . . . OK?"
- Next in thread: Ferino Mardo: "RE: AD in the DMZ . . . OK?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 30 Jul 2004 18:24:43 +0100 To: "Dieter Sarrazyn" <dsr@ascure.com>, <security-basics@securityfocus.com>
Alternatively, host a separate AD structure purely for your DMZ
infrastructure and have a site to site communication set up through the
firewall if needed.
Mark
-----Original Message-----
From: Dieter Sarrazyn [mailto:dsr@ascure.com]
Sent: 30 July 2004 06:09
To: security-basics@securityfocus.com
Subject: RE: AD in the DMZ . . . OK?
Wouldn't using LDAP be a solution here? Every AD system is in fact also
an ldap server.
If the only thing needed is authentication with userid/password, then
this is fairly simple to do. A special group could be created containing
all users that are allowed to use this type of authentication. Using a
"ldap-read" user which has only read access to this group is pretty
secure I guess.
Regards,
Dieter
> -----Original Message-----
> From: Roger A. Grimes [mailto:roger@banneretcs.com]
> Sent: donderdag 29 juli 2004 4:51
> To: karl; security-basics@securityfocus.com
> Subject: RE: AD in the DMZ . . . OK?
>
> Karl, why I can't say I'm an expert on the subject, all I can say is
> to use caution and think about the risks that are involved (which you
> are already doing by sending out this email). If I were to expose any
> AD domain to the DMZ, I would take great pains to secure it using
> additional methods (i.e. IPSec, SSL with client authentication
> certificates, VPN, RRAS, Network Access Quarantine Control, etc.) to
> secure and authenticate the communication channel. For a couple of
> reasons:
>
> 1. First AD with W2K and above, likes to use Kerberos as the default
> user authentication protocol. Kerberos is significantly stronger than
> its predecessors (LM, NTLM, and NTLMv2). If users connect to your AD
> on the DMZ and don't have a secure VPN tunnel that supports Kerberos,
> then they will connect using one of the earlier protocols, all of
> which have been successfully attacked using brute force methods.
> Unless you have LM hashing turned off, I maybe able to capture LM
> password hashes in the traffic and compromise passwords.
>
> 2. Unless you have SID filtering turned on, it may be possible for a
> lesser authenticated security principal account (other requirements
> apply) to elevate their privileges using the SID History trick.
>
> 3. Unless you have your anonymous enumeration permissions set
> securely, a remote hacker may be able to enumerate your AD objects.
>
> 4. If I was a malicious hacker and I knew you were authenticating
> your network user accounts on your DMZ, I would try my best to
> successfully compromise your DMZ and sniff traffic.
>
> This is just a few things I would worry about. A secure
> communication's tunnel and/or a properly designed .NET app can
> minimize the risk. So the real answer is that yes, putting AD on the
> DMZ elevates your risk of compromise, but that elevated risk can be
> minimized by taking additional countermeasures. And security risk is
> always just a cost/benefit trade off.
>
> Roger
>
> **************************************************************
> **********
> ***
> *Roger A. Grimes, Banneret Computer Security, Computer Security
> Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4),
> A+
> *email: roger@banneretcs.com
> *cell: 757-615-3355
> *Author of Malicious Mobile Code: Virus Protection for Windows by
> O'Reilly *http://www.oreilly.com/catalog/malmobcode
> *Author of upcoming Honeypots for Windows (Apress)
> **************************************************************
> **********
> ****
>
> -----Original Message-----
> From: karl [mailto:opium@runningriver.co.uk]
> Sent: Wednesday, July 28, 2004 6:49 AM
> To: security-basics@securityfocus.com
> Subject: AD in the DMZ . . . OK?
>
> Hello
>
> One of the developers I work with has come up with a wild and crazy
> notion to write a .NET app that sits on a DMZ Web server but gets user
> information from the Active Directory on the other side of the
> firewall..
>
> I'm inexperienced with this, so did some research and found that this
> kind of thing is possible (plenty of articles on putting Exchange
> servers in the DMZ), but found myself wondering if this ever happens,
> i.e. do people actually have their networks set up this way? Do folk
> expose/replicate AD to the DMZ in practice?
>
> It's all very well that this stuff is possible, but if it's perceived
> as insecure and not implementable in the real world . . . . . . .
>
> Thanks for any advice . . . . .
>
> Karl
>
>
> --------------------------------------------------------------
> ----------
> ---
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
> off any course! All of our class sizes are guaranteed to be 10
> students or less to facilitate one-on-one interaction with one of our
> expert instructors.
> Attend a course taught by an expert instructor with years of
> in-the-field pen testing experience in our state of the art hacking
> lab.
> Master the skills of an Ethical Hacker to better assess the security
> of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------
> ----------
> ----
>
>
>
>
> --------------------------------------------------------------
> -------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
> off any course! All of our class sizes are guaranteed to be 10
> students or less to facilitate one-on-one interaction with one of our
> expert instructors.
> Attend a course taught by an expert instructor with years of
> in-the-field pen testing experience in our state of the art hacking
> lab. Master the skills of an Ethical Hacker to better assess the
> security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------
> --------------
>
>
------------------------------------------------------------------------
--- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited. --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
- Previous message: Rocky Heckman: "RE: fax software in the domain"
- Maybe in reply to: karl: "AD in the DMZ . . . OK?"
- Next in thread: Ferino Mardo: "RE: AD in the DMZ . . . OK?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
