RE: AD across both DMZ & LAN
From: Depp, Dennis M. (deppdm_at_ornl.gov)
Date: 03/01/05
- Previous message: Marco: "Re: securing linux webserver?"
- Maybe in reply to: Leon North: "AD across both DMZ & LAN"
- Next in thread: Nick Owen: "Separating authentication and authorization for admins was: RE: AD across both DMZ & LAN"
- Reply: Nick Owen: "Separating authentication and authorization for admins was: RE: AD across both DMZ & LAN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 01 Mar 2005 13:03:01 -0500 To: Leon North <leon_nc@linuxmail.org>, security-basics@securityfocus.com
Leon,
1. Yes this is possible. You will want to setup two forests and create
a one way trust between the two forests. (or between two domains in the
forest.)
2. While not ideal, I think it is an acceptable approach. However,
your management will have to decide if the risk is worth the cost
savings.
3. You should be able to configure loopback processing of GPOs on the
Citrix server. This will allow you to define a separate user profile
when they log onto the Citrix server.
Denny
-----Original Message-----
From: Leon North [mailto:leon_nc@linuxmail.org]
Sent: Tuesday, March 01, 2005 10:20 AM
To: security-basics@securityfocus.com
Subject: AD across both DMZ & LAN
Hi,
We currently have an NT4 domain in the DMZ and an unrelated NT4 domain
internally. The DMZ domain contains a server running citrix, and is used
for internet web browsing/email, so that we only have to allow the
citrix connection through the FW to the LAN & no internal users can
directly access the internet from their PC's.
As part of an upgrade to Active Directory (both domains Win2k3), we
would like to get the DMZ to trust the internal domain, so that we only
have one set of user accounts to manage. But I am not sure about a
couple of things with this setup-
1. Will this work like this, so that we only need 1 user account per
user instead of a seperate one externally to internally? (excuse the
vagueness of the question)
2. If so, is that (not ideal I know but) an acceptable approach security
wise, when the DMZ DC can access the accounts on the internal domain?
3. Can we configure it somehow so that the user gets a different profile
when logging in to the DMZ only? I ask that because one potential issue
I see is getting a virus infection into user profile while logged into
the DMZ, then logging into an internal server.
Thanks for any help.
Leon
-- ______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze
- Previous message: Marco: "Re: securing linux webserver?"
- Maybe in reply to: Leon North: "AD across both DMZ & LAN"
- Next in thread: Nick Owen: "Separating authentication and authorization for admins was: RE: AD across both DMZ & LAN"
- Reply: Nick Owen: "Separating authentication and authorization for admins was: RE: AD across both DMZ & LAN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
