Re: AD in the DMZ . . . OK?

From: Ansgar -59cobalt- Wiechers (bugtraq_at_planetcobalt.net)
Date: 07/30/04

  • Next message: Peter Van Eeckhoutte: "Re: AD in the DMZ . . . OK?" 
    Date: Fri, 30 Jul 2004 20:53:36 +0200
To: security-basics@securityfocus.com

    On 2004-07-30 Dieter Sarrazyn wrote:
    > Wouldn't using LDAP be a solution here? Every AD system is in fact
    > also an ldap server.
    >
    > If the only thing needed is authentication with userid/password, then
    > this is fairly simple to do. A special group could be created
    > containing all users that are allowed to use this type of
    > authentication. Using a "ldap-read" user which has only read access to
    > this group is pretty secure I guess.

    If I'm reading you correctly that would still require access from the
    DMZ to the DC, thus still violating the DMZ. No host in the DMZ should
    ever be able to access any service inside the internal network.

    Regards
    Ansgar Wiechers 

    -- 
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
  • Next message: Peter Van Eeckhoutte: "Re: AD in the DMZ . . . OK?"

    Relevant Pages

    • Re: AD in the DMZ . . . OK?
      ... If I were to expose any AD domain to the DMZ, ... > Ethical Hacking at the InfoSec Institute. ... > interaction with one of our expert instructors. ... > Attend a course taught by an expert instructor with years of ...
      (Security-Basics)
    • RE: Access from DMZ Was: AD in the DMZ . . . OK?
      ... Subject: Access from DMZ Was: AD in the DMZ. ... > direct Internet connections into you secure network (even VPN ... All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • RE: AD in the DMZ . . . OK?
      ... If the only thing needed is authentication with userid/password, ... If I were to expose any AD domain to the DMZ, ... > interaction with one of our expert instructors. ... > Attend a course taught by an expert instructor with years of ...
      (Security-Basics)
    • Access from DMZ Was: AD in the DMZ . . . OK?
      ... we have to provide some access to our internal networks either from the ... DMZ or from the internet. ... All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • dmz and private network
      ... I have a web server in the DMZ that I want to authenticate against our ldap ... The ldap server resides in the internal network. ... The ldap server is an iplanet directory server 5.0. ... can put a slave ldap server in the DMZ and have the master pushing updates ...
      (Security-Basics)