Re: Webserver accessing Active Directory information

From: Toddah (anonymous_at_discussions.microsoft.com)
Date: 06/24/04 

Date: Thu, 24 Jun 2004 05:25:49 -0700

Thanks, will check for AD groups
>-----Original Message-----
>On Wed, 23 Jun 2004 14:44:34 -0700, "Toddah"
><anonymous@discussions.microsoft.com> wrote:
>
>>I have a 3 leg PIX 515 with Inside (full AD), DMZ and
>>outside(internet) interfaces. I have a (workgroup) 2003
>>Server with IIS6 running a website in the DMZ. I have
>>allowed 1433 thru the firewall to talk to the inside SQL
>>server and that works fine. Our programmer has developed
>>an ASP application that needs Active Directory access
from
>>the Webserver in the DMZ to lookup user information and
>>route request forms based on group membership from forms
>>on the webserver.
>> How insecure is it to allow the ASP apps to access
Active
>>Directory from the DMZ?
>
>Less secure than not doing it.
>
>> Is there a secure way to allow this or do I send him
back
>>to the drawing board?
>
>Open the ports for the DMZ to LAN only. Not really smart
to put a DC
>in a DMZ though.
>
>>If allowable what ports would I need to allow from the
>>list below.
>
>Kinda depends on what part of AD the apps use. I'd run
the app and
>see waht the fireall logs show as requested before just
opening any
>somewhat appropriate ports.
>
>May also want to check in a general security group or an
AD security
>group, none of this really involves IIS security.
>
>Jeff
>
>>UDP 53 (DNS)
>>UDP 88 (KPassword)
>>UDP 137 (NetBIOS Name)
>>UDP 138 (NetBIOS Datagram)
>>UDP 389 (LDAP)
>>UDP 750 (Kerberos)
>>
>>TCP 53 (DNS)
>>TCP 88 (KPassword)
>>TCP 135 (NetBIOS over TCP)
>>TCP 139 (NetBIOS Session)
>>TCP 389 (LDAP)
>>TCP 445 (CIFS)
>>TCP 636 (LDAP over SSL)
>>TCP 750 (Kerberos)
>>TCP 1026 (Active Directory)
>>TCP 1512 (WINS)
>>TCP 3268 (LDAP Global Catalog)
>>TCP 3269 (LDAP GC over SSL
>>
>>Just trying to make sure I not opening the floodgates to
>>the badguys/girls.
>>Thank You
>
>.
>

Relevant Pages

  • RE: fedora-list Digest, Vol 6, Issue 266
    ... Re: OT: Setting up a forwarding mail domain in DMZ without ... Re: Sound Problem ... downloaded the yum.conf for fedora from Redhat's website. ... Server: Fedora.us Extras ...
    (Fedora)
  • Re: webdav on SBS2003
    ... Traditional FW architecture describes a DMZ, ... DMZ and LAN. ... DMZ is that the entire server isn't exposed in the zone, ... you depend on Windows Security to ...
    (microsoft.public.windows.server.sbs)
  • RE: [fw-wiz] Backup exec agent in dmz
    ... This way you could block these specific ports inbound from the ... mail/antivirus server, a dns server, and a web server. ... I have a windows 2000 server running backup exec version 9 on the primary ... have to set up a separate backup system for the dmz computers. ...
    (Firewall-Wizards)
  • RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good
    ... OWA front ended by ISA 2003 is solid. ... DMZ - it is designed to "publish" MS products including MS CRM. ... The DMZ server should be able to do ... more than just port filtering and *shouldn't* require all those ports to ...
    (Firewall-Wizards)
  • Re: DMZ & Security
    ... > yes, deployement price, security level (depending what ... > open ports... ... > case what sense has my DMZ? ... if I have a web server on DMZ that have to access sqlserver database ...
    (microsoft.public.security)