Omgili, forum search, forums search, search forums, discussion search,discussions search, search discussions, board search, boards search, search boards

	Advanced Search

DMZ Domain

On  Mon, 13 Apr 2009 11:46:47 -0700,  Steve Goddard <...@discussions.microsoft.com

Hey Guys,

I've always worked with a DMZ domain but after reading into my MCSE stuff I 

find a strong case for creating and managing the one domain. 

The more I think about I just think that the DMZ just doesn't have a case 

for separation. High Security can be applied by GPO's on that OU, domain 

admin accounts can should already be secured by policy and we should all use 

secondary non-admin accounts for any machine. 

I'm just interested to hear anyt comments on - is there any point for a 

second domain when you can easily secure and manage the one domain?

Steve.

-- 

Steve G.

MCSA 2003 +M


	On Mon, 13 Apr 2009 18:56:07 +0000 (UTC), Meinolf Weber [MVP-DS] <...@gmx.de Hello Steve, In a DMZ you should place servers like webservers or mail servers, which are also accessible from outside your network(Internet). So even if they are compromised the internal network is secured. Domain internal you can secure with GPO's and carefully handing out account's with administrative permissions. Also you can apply security templates on all machines, either self-created ones or some of the included templates. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. Please do NOT email, only reply to Newsgroups HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


	On Mon, 13 Apr 2009 12:39:19 -0700, Steve Goddard <...@discussions.microsoft.com Thanks for your response, I appreciate you place in the DMZ domain servers that are exposed to the internet but I wonder how exactly we are more secured? We've probably opened the ports and traffic type to allow DC's in the DMZ through to the unsecured network or if we've placed DC's only in the unsecured domain then we've opened the servers to communicate to the DC's. So if any server is hacked then its plausable that each server can lead to the DC and from there back to the unsecured network. Do we gain anything by creating a domain for DMZ? -- Steve G. MCSA 2003 +M >


	On Mon, 13 Apr 2009 19:50:49 +0000 (UTC), Meinolf Weber [MVP-DS] <...@gmx.de Hello Steve, If possible do not place DC's in a DMZ. See also here: http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_ gci1320952,00.html http://articles.techrepublic.com.com/5100-22_11-5238083.html See "Windows 2000 domain controller hardening " http://technet.microsoft.com/en-us/library/cc750019.aspx Also an option is to use windows server 2008 RODC's in the future for a DMZ. Unfortunal the "How to" is not ready until now, but will come. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. Please do NOT email, only reply to Newsgroups HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


	On Mon, 13 Apr 2009 13:10:34 -0700, Steve Goddard <...@discussions.microsoft.com Thanks Meinolf, Yes the Read-only DC is a new option that I think does in fact make a DMZ a workable option. I admit I haven't yet started 2008 design or study, I presume we need a standard read/write DC somewhere on that domain. So that brings me back to the design of a read/write DC and FSMO domain roles on the other side of the firewall and a read-only DC on the DMZ? Does that sound secure? We still have ports open through the firewall but its the most secure design I can think of. Steve. -- Steve G. MCSA 2003 +M >


	On Mon, 13 Apr 2009 20:33:45 +0000 (UTC), Meinolf Weber [MVP-DS] <...@gmx.de Hello Steve, It sounds more scure with a RODC, yes. But the most secure way is still to avoid this kind of configuration. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. Please do NOT email, only reply to Newsgroups HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


	On Mon, 13 Apr 2009 17:13:45 -0400, "Ace Fekay [Microsoft Certified Trainer]" <...@mvps.RemoveThisPart.org "Meinolf Weber [MVP-DS]" <...@msnews.microsoft.com... I must agree. Ace


	On Mon, 13 Apr 2009 15:44:49 -0400, "Ace Fekay [Microsoft Certified Trainer]" <...@mvps.RemoveThisPart.org "Steve Goddard" <...@microsoft.com... Hello Steve, Do you realize how many ports DC/domain communication requires? There are 29 ports plus the emepheral Windows response ports (UDP 1024 - 5000) that need to be opened. I wouldn't suggest such a design. In any design for a DMZ, I like to lean on machines that are not joined to a domain. If you use Exchange, you can put an Edge server in the DMZ and just create port 25 rules for communication between the Edge and the internal HUB. I usually like to take the KISS method trying to achieve the best secure design in such a scenario. Placing an AD domain complicates it and makes it more difficult to track and audit. -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT Microsoft Certified Trainer acem...@mvps.RemoveThisPart.org For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.


	On Mon, 13 Apr 2009 13:00:50 -0700, Steve Goddard <...@discussions.microsoft.com I've found that problem and I suppose thats one of the reasons why I put the post here. Its a strand of a thougt, a server in the DMZ with no affiliation to a domain seems like the only secure method but the trade-off is the complete lack of management via a domain. I'm aware of the flexible range of ports required to get a server to talk to DC, the quick solution is to put a DC in the DMZ but I wondered if at that point you shouldn't bother and just have the one domain. Apologies if I'm rambling, its a topic that I would love to debate with real-life varied experiences other than my own. Steve -- Steve G. MCSA 2003 +M >


	On Mon, 13 Apr 2009 17:44:17 -0400, "Ace Fekay [Microsoft Certified Trainer]" <...@mvps.RemoveThisPart.org "Steve Goddard" <...@microsoft.com... No apologies needed, Steve. I understand trying to create a more versatile solution, and trying to take into account all options, but a domain or a DC in a DMZ is normally not a 'best practice' recommended by anyone. Just keep with the one domain internally and put your web and other non-domain machines offering outside access into the DMZ. Curious, what stipulations does your design have to require such a scenario? Ace


	On Mon, 13 Apr 2009 15:49:16 -0500, "Paul Bergson [MVP-DS]" <...@nopspam_msn.com There is the option to use IPSec between this server and a dc, thereby reducing the port open count to 2. I will be honest I have never tested this and only read documents on it but is another option and I have heard it works well. http://blog.studiographic.nl/?p=193 -- Paul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights. "Steve Goddard" <...@microsoft.com...


	On Mon, 13 Apr 2009 17:48:46 -0400, "Ace Fekay [Microsoft Certified Trainer]" <...@mvps.RemoveThisPart.org "Paul Bergson [MVP-DS]" <...@microsoft.com... I've actually tested this in classroom scenarios using my own Cisco Pix and it works fine. The ports that would need to be open for L2TP/IPSec (assuming you are referring to an L2TP tunnel), IIRC, would actually be 4. I guess if no tunnel, then it would be 3 (minus the 1701 for the tunnel). TCP 1701 (for L2TP) UDP 500 (for the SA or ISKMP) Protocol ID 50 (for ESP) Protocol ID 51 (for AH) Ace

Discussion Title: DMZ Domain
Title Keywords: Domain

Omgili Home

Usenet

About

FAQ

Omgili TV Shows

Privacy

International Omgili: חיפוש בפורומים | 掲示板検索