AD in the DMZ - Any thoughts on this scenario?

  • Thread starter Thread starter Trust No One®
  • Start date Start date
T

Trust No One®

Hi Folks,

Appreciate input on this one.

My company recently done a feasibility on implementing Windows 2003 and AD
in our internet facing DMZ. Basically an external consultant came in and
produced a report. The report recommended setting up a separate AD forest
spanning both our DMZ and internal network, with member servers sited in the
DMZ subnets and the domain controllers located on the internal network. The
appropriate ports are then opened on the corporate firewall to permit
communication to/from the domain controllers, communications are secured via
IPSEC.

The consultant assured us that other corporate run similar configurations,
the advantage being that administration of the AD and maintenance of the DCs
is far easier as you won't need to cross the firewall; the domain
controllers can be pointed at the internal DNS servers.

Despite the assurances I'm troubled by the recommendation as

a) It introduces the possibility (however small) of an intruder using the
path to the domain controllers to hop from the DMZ into the internal network
should he/she manage to comprise one of the internet facing member servers.

b) Security rather than ease of administration should surely be the main
consideration.

c) ISTR RPC requires a significant range of ports to be opened? I know that
the range of ports can be locked down to a defined range rather the default
of dynamic, but a number of holes still need to be punched in order to
permit communication to the domain controllers.

I would have thought a completely separate DMZ forest with possibly a one
way trust to the internal AD forest would be the more secure way to go. I am
keeping an open mind at this stage however.

Any thoughts or comments on the consultant's recommendation? Is anyone on
the group successfully running with a split DMZ/Internal AD forest?

Best Wishes
 
That consultant gave you poor advice, you should only have an isolated
forest in a DMZ, not one that spans the DMZ and internal network.
You don't mention what you need the directory for, but have you considered
using ADAM in the DMZ instead of full blown AD?
 
Trust said:
Hi Folks,

Appreciate input on this one.

My company recently done a feasibility on implementing Windows 2003
and AD in our internet facing DMZ. Basically an external consultant
came in and produced a report. The report recommended setting up a
separate AD forest spanning both our DMZ and internal network, with
member servers sited in the DMZ subnets and the domain controllers
located on the internal network. The appropriate ports are then
opened on the corporate firewall to permit communication to/from the
domain controllers, communications are secured via IPSEC.

The consultant assured us that other corporate run similar
configurations, the advantage being that administration of the AD and
maintenance of the DCs is far easier as you won't need to cross the
firewall; the domain controllers can be pointed at the internal DNS
servers.
Click to expand...

Ask him for a list of these corporations & the appropriate contacts at each.
I think this is BAD advice, myself. Your concerns below are quite valid. The
purpose of a DMZ is to prevent any traffic coming in from it to your LAN.
 
Simon said:
That consultant gave you poor advice, you should only have an isolated
forest in a DMZ, not one that spans the DMZ and internal network.
You don't mention what you need the directory for, but have you
considered using ADAM in the DMZ instead of full blown AD?
Click to expand...

Thanks for your reply.

The feasibility study revoles around introducing Windows 2003 servers (web /
application) in the DMZ. Up till now our DMZ has been a Unix only shop. As
future expansion is envisioned, a small AD would be essential for
centralised managment of these servers rahter than setting up separate
accounts & security templates on each. I don't think ADAM would be the ideal
solution in this case.

The design recommendation did trouble me as unlike say a database server,
the domain controllers for the AD forest would hold no sensitive
information. In my opinion, placing the DCs in the DMZ serves no real useful
purpose other than convenience, but at the expense of security.
 
Thanks for your reply.

The feasibility study revoles around introducing Windows 2003 servers (web /
application) in the DMZ. Up till now our DMZ has been a Unix only shop. As
future expansion is envisioned, a small AD would be essential for
centralised managment of these servers rahter than setting up separate
accounts & security templates on each. I don't think ADAM would be the ideal
solution in this case.
Click to expand...
I have had a number of servers on a DMZ, and I would never have
considered running AD outside of the Firewall. If you really must have
AD outside the firewall do not connect it in any way to the internal
AD.
The design recommendation did trouble me as unlike say a database server,
the domain controllers for the AD forest would hold no sensitive
information. In my opinion, placing the DCs in the DMZ serves no real useful
purpose other than convenience, but at the expense of security.
Click to expand...
Your consultant had probably been listening to Steve Riley:

http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp

While Steve is a guru and can set up secure systems in his sleep with
no firewalls and no chance of any intrusions, the rest of us are not
gurus, and make mistakes, and need the added protection of firewalls
and things like that. And one of the best recommendations is that you
don't have AD spanning a firewall.

Incidentally, if you get a chance, go and hear Steve Riley talk. He's
an interesting and entertaining speaker.

Cheers,

Cliff
 
I think that Steve is talking about running AD across a firewall within the
network and not the actual perimeter network. I can see no reason for
having internal servers in a DMZ.

I have situations whereby there are firewalls in between DCs; but none of
our DCs reside on a DMZ. There is a secure perimeter around our networks,
and we firewall them inside too. That's when this whitepaper is needed;
like Simon said, perhaps ADAM is better suited...


--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


Thanks for your reply.

The feasibility study revoles around introducing Windows 2003 servers (web /
application) in the DMZ. Up till now our DMZ has been a Unix only shop. As
future expansion is envisioned, a small AD would be essential for
centralised managment of these servers rahter than setting up separate
accounts & security templates on each. I don't think ADAM would be the ideal
solution in this case.
Click to expand...
I have had a number of servers on a DMZ, and I would never have
considered running AD outside of the Firewall. If you really must have
AD outside the firewall do not connect it in any way to the internal
AD.
The design recommendation did trouble me as unlike say a database server,
the domain controllers for the AD forest would hold no sensitive
information. In my opinion, placing the DCs in the DMZ serves no real useful
purpose other than convenience, but at the expense of security.
Click to expand...
Your consultant had probably been listening to Steve Riley:

http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp

While Steve is a guru and can set up secure systems in his sleep with
no firewalls and no chance of any intrusions, the rest of us are not
gurus, and make mistakes, and need the added protection of firewalls
and things like that. And one of the best recommendations is that you
don't have AD spanning a firewall.

Incidentally, if you get a chance, go and hear Steve Riley talk. He's
an interesting and entertaining speaker.

Cheers,

Cliff
 
I think that Steve is talking about running AD across a firewall within the
network and not the actual perimeter network. I can see no reason for
having internal servers in a DMZ.

I have situations whereby there are firewalls in between DCs; but none of
our DCs reside on a DMZ. There is a secure perimeter around our networks,
and we firewall them inside too. That's when this whitepaper is needed;
like Simon said, perhaps ADAM is better suited...
Click to expand...

Ah, take your point, Paul, but as Steve Riley says, opening the
necessary ports turns your firewall into Swiss cheese.

Cheers,

Cliff
 
ptwilliams said:
I think that Steve is talking about running AD across a firewall
within the network and not the actual perimeter network. I can see
no reason for having internal servers in a DMZ.

I have situations whereby there are firewalls in between DCs; but
none of our DCs reside on a DMZ. There is a secure perimeter around
our networks, and we firewall them inside too. That's when this
whitepaper is needed; like Simon said, perhaps ADAM is better
suited...
Click to expand...
The ADAM suggestion made by both Simon and Paul intrigues me. As I mentioned
earlier, the purpose of the proposed AD forest in the DMZ will be provision
of centralized management and administration (esp Group Policies) of the
application servers Only the datacentre support teams and a user admin team
will logon to the AD. Is ADAM suited to this particular purpose as opposed
to full blown AD?

I've had a quick Google search and I've found precious few ADAM whitepapers
around (the technical reference looks daunting) and none so far on its use
in the DMZ. I plan to do a more in-depth search later. Has anyone come
across any articles on the application of ADAM in the DMZ that I can chew
over? I have a book "Building DMZs for Enterprise Networks", but
unfortunately it predates ADAM :(

Best Wishes,
 
I know what you mean. Running RPC in its default state across a firewall is
almost the same as binning the firewall!!! ;-)

--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


I think that Steve is talking about running AD across a firewall within the
network and not the actual perimeter network. I can see no reason for
having internal servers in a DMZ.

I have situations whereby there are firewalls in between DCs; but none of
our DCs reside on a DMZ. There is a secure perimeter around our networks,
and we firewall them inside too. That's when this whitepaper is needed;
like Simon said, perhaps ADAM is better suited...
Click to expand...

Ah, take your point, Paul, but as Steve Riley says, opening the
necessary ports turns your firewall into Swiss cheese.

Cheers,

Cliff
 
If you need to use Group Policies you would need to stick with Active
Directory. Don't get me wrong, it's not a problem to have AD in a DMZ, just
make sure it's an isolated forest and not part of your internal forest.
 
Back
Top