Win2k and one-way trusts

  • Thread starter Thread starter LCI
  • Start date Start date
L

LCI

I need to the ability to authenticate domain users in my DMZ, and I am
not overly thrilled with the idea of an internet facing system having
direct access into the domain if I can avoid it. So I was thinking about
building a small domain in the DMZ and setting up a one way trust
between my primary domain and it. (dmz trusts the domain, the domain
does not trust the dmz). That way I can setup the DMZ domain controller
in the DMZ but not make in publicly accessable and I don't mind opening
up ports like 135 if I have to. Does anyone have any experience doing
anything like this or have a better suggestion? I realize that my
one-way trust concept is somewhat rooted in NT4 but I haven't yet
figured out the AD terminology/techniques that I need, os any help there
would be great as well. TIA.

--Jared
 
I have never tried that but a couple thoughts. You can create one way explicit
trusts if the domains are in different forests. Having different domains will
allow different account policies. If you decide to not use a second domain, you
can further harden the domain machines in the dmz by adding the administrators
group to the deny access to this computer from the network for administrators
and log onto it locally to manage it or temporarily change the policy. Passprop
can also be used to enable the administrator account to be locked out from
network logon which should also be renamed. Disable file and print sharing and
other unnecessary services on it and make sure that number of logons to cache is
set to zero in Local Security Policy effective settings. Changing some security
options on it such as changing additional restrictions to anonymous connections
to no access without explicit anonymous connections [if it does not cause
problems with authorized clients], setting digitally sign communications
client/server to always, changing lan manager authentication level to use ntlmv2
only refuse lm and ntlm, and removing the users/everyone group from access the
computer from the network and replacing it with authenticated users [a user
right assignment]. Most of those security options would be applied by
importing the highsecws.inf template with the exception of cached logons.
Depending on the machines in your domain, some of those changes may cause
problems with domain machines, particularly if you have W9X or NT4.0 machines.
Of course enabling auditing and monitoring security log is a good idea. ---
Steve

http://support.microsoft.com/default.aspx?kbid=309689
http://www.jsiinc.com/SUBI/tip4300/rh4315.htm
 
Back
Top