Re: DMZ Services, Best Balance Between Security and Functionality, Comments?

From: MS (ms_at_ms.net)
Date: 07/03/03 

Date: Thu, 03 Jul 2003 08:45:10 -0400

It depends where your DMZ is --- between what and what?

If it's between your intranet and the Internet, don't extend your
internal AD forest to the DMZ.

If it's between your intranet and another company, 2 or 3 may be acceptable.

Ben Robinson wrote:
> Hi
>
> We have serveral services in the DMZ that would benefit from domain
> membership (centralised management etc), there is an additional requirement
> for external users to authenticate to a central repository (AD). Of the 5
> options described below, what would people consider to be the pro's and
> con's?
>
> 1 Workgroup everything: Poor centralised management and high TCO,
> although more secure. Not really an option due to high TCO.
> 2 Member servers in the DMZ - members of internal only AD with all
> traffic secured through firewall (IPSec etc)
> 3 Member servers in the DMZ - members of internal AD with DC(s) placed in
> DMZ, replication traffic secured with IPSec etc
> 4 Member servers in the DMZ - members of external AD forest that trusts
> internal forest (one-way only). All external users accounts in external
> forest. Trust traffic secured with IPSec
> 5 Member servers in the DMZ - members of external AD forest that trusts
> internal forest (one-way only). All external users accounts and groups in
> INTERNAL forest for centralisation, external permissions applied to
> internally located Universals. All traffic secured with IPSec and external
> forest exist purely to allow centralised management of DMZ machines.
>
> While we're interested in the risks not only to the internal network, but
> also the interception of any traffic into\out of the DMZ, and also the
> potential for seizing control of DMZ located services that could help
> leverage control of AD - internal forest would in no way trust external -
> simplicity is a key driver.
>
> Many thanks
>
> Ben
>
>

Relevant Pages

  • Re: FTP for internal users and external customers.
    ... Secure network architecture and authentication, ... the security boundary in AD is the forest ... Yet there's one thing that's not justified: putting the external user in DMZ ... any connections coming from the internet has to ...
    (microsoft.public.security)
  • Re: AD in the DMZ - Any thoughts on this scenario?
    ... forest in a DMZ, not one that spans the DMZ and internal network. ... > in our internet facing DMZ. ...
    (microsoft.public.win2000.active_directory)
  • Re: AD in the DMZ - Any thoughts on this scenario?
    ... > and AD in our internet facing DMZ. ... > domain controllers, ... > I would have thought a completely separate DMZ forest with possibly a ...
    (microsoft.public.win2000.active_directory)
  • AD in the DMZ - Any thoughts on this scenario?
    ... in our internet facing DMZ. ... DMZ subnets and the domain controllers located on the internal network. ... should he/she manage to comprise one of the internet facing member servers. ... I would have thought a completely separate DMZ forest with possibly a one ...
    (microsoft.public.win2000.active_directory)
  • Re: Answers on practice exams wrong? question inside
    ... For the first question about forest trust, the option in the aswers is ... to "change the DOMAIN functional level". ... I answered to "Configure a root zone on the external DNS server" ... because I thought that as the question says, names of other Internet ...
    (microsoft.public.windows.server.active_directory)