Should a member server be put into a DMZ?

[Brian]

Someone suggested I post this again in another forum heres
my original post.
-----------------------
First some history,

I have a web server running IIS5. On a windows 2000
server, all service packs have been installed. currently
this server is standalone with the exception of ports open
on the firewall to a SQL server on the local network. By
stand alone I mean, it is in its own little workgroup. The
local domain is Win2k active directory mixed with some NT
40 machines.

Is there a security risk inherent in joining this web
server to the local domain? And If it is a member of the
domain is it possible for someone to gain access to the
Active directory info on that machine? How would I secure
it if so?

Thanks!

B.

 

[Karl Levinson [x y] mvp]

Yes, doing so does require that you open some sort of line of communication
between the member server and the domain controller for Windows
authentication. This means that someone who compromises your web server can
potentially access your domain controller, and if your domain controller is
on your internal network, then theoretically someone could then compromise
your domain controller and bypass the DMZ firewall to access anything else
on your internal network.

The same is true with the SQL server setup. It might be safer, but more
expensive, to either move the SQL server to the DMZ, or set up a second SQL
server and set up data replication between the two, ideally pushed one way
from the internal server to the external server if possible.

You would definitely want to have a good justification for wanting to gain
the added convenience and functionality by potentially weakening your
security. There may be compelling reasons for doing so, it's up to you and
your security needs. Generally, joining a computer to the domain is done
for easier administration of users and computers and for single sign on, at
the possible expense of security.

You could consider putting an AD controller somewhere that is not on the
internal network, such as somewhere on the DMZ, perhaps with some sort of
firewall or TCP/IP filtering between the controller and your web server.
Using some form of VPN encryption such as IPSec between the web server and
domain controller might be something to consider also. Hardening the
settings and patches on all related servers and increasing the NTLM level to
NTLMv2 only in the registry or group policy would be wise also [changing the
RestrictAnonymous setting involving anonymous null sessions, disabling
NetBIOS over TCP/IP, etc].

 

[Matt Scarborough]

Caveat Trollus: It is not a given here that a compromised server, member or
not, expectorates Domain Administrator credentials.

On Tue, 13 Jan 2004 13:46:31 -0800, Brian wrote

Someone suggested I post this again in another forum heres
my original post.
-----------------------
First some history,

I have a web server running IIS5. On a windows 2000
server, all service packs have been installed. currently
this server is standalone with the exception of ports open
on the firewall to a SQL server on the local network. By
stand alone I mean, it is in its own little workgroup. The
local domain is Win2k active directory mixed with some NT
40 machines.

Is there a security risk inherent in joining this web
server to the local domain?

Yes, if only by definition: we have added a layer of complexity to the
machine by joining it to the domain. There are security benefits to joining
the machine to a domain such as enforcing security policies, central
monitoring, or remote administration.

And If it is a member of the
domain is it possible for someone to gain access to the
Active directory info on that machine? How would I secure
it if so?

What are we trying to protect?

(A) The data on the SQL Server
(B) The Domain
(C) The Active Directory info on the machine
(D) The Machine

Presume (C) is compromised. Presume (D) has a LocalSystem command prompt
shoveled out to a remote attacker.

At this point, even in the scenario described, an experienced network admin
*might* prefer (D) was already within the local domain... or at least within
some domain.

Unfortunately, remote users (Domain Users with physical access) should be
able to get a command prompt running as LocalSystem (root) any day of the
week on any OS, not just Windows. Often some of them try.

Maybe the database on the SQL server is more important than compromised
Domain Administrator credentials?

So perhaps a step back is in order. Determine what needs protecting. Start
there.