[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Is there a secure way to run Internet services on a Windows 2003 domain controller?

Posted on 2006-07-12
8
Medium Priority
?
246 Views
Last Modified: 2013-12-04
I would like to enable IIS (company intranet/extranet) and possibly Remote Access/VPN on a Windows 2003 domain controller. The server has two Nics and I would like one of them to face the Internet and the other to face the LAN. The NIC on the Internet could sit behind a PIX 501 if necessary. Is there a secure way to configure this type of setup or is it generally not done?
0
Comment
Question by:tomc3000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 13

Expert Comment

by:prashsax
ID: 17094475
If you have a PIX, then you do not require two NICs on your server.

Just NAT a public IP on PIX and your server will be accessible from internet.

Then you could open specific ports like port 80 for web server.

As for VPN, PIX can host VPN for you and clients from outside can access your internal network after connecting using VPN.

If you do not have a PIX then you need two NICs and safely put your server on internet. Just make sure you have defined access-list on your internet router so that no all ports are open.

Otherwise you can use Windows Firewall to defend your sever on internet.
0
 

Author Comment

by:tomc3000
ID: 17095541
Ok, I know I can forward ports as necessary, is this safe to do considering the ports are being directed to a Primary Domain Controller?
0
 
LVL 37

Expert Comment

by:bbao
ID: 17099006
at any time, only looking out one door or window is not enough for protecting a house. you may combine server means to protect your W2K3 server:

1. setup a hardware firewall between the internet and your DMZ
2. forward incoming traffic (port based) to internal server only as needed
3. disable unnecessary services on W2K3
4. disable unnecessary ports on the external adapter of W2K3 which stays on the same DMZ subnet as your firewall's LAN port, by either W2K3's built-in FW or a 3rd party one
5. disable guest account on PDC
6. enable strong password policy on PDC
7. disable remote desktop connection from internet IPs, as well as internal ones if necessary
8. enable audit on PDC, for both successful and unsucessful events
9. consider another DC as backup
10. backup the PDC timely
11. ... more and more, depends on your business requirements

hope it helps,
bbao
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 13

Expert Comment

by:prashsax
ID: 17099500
Well, as long as only port 80(HTTP) and 1723(GRE) is forwarded it will not have any problems.

This is very common with people using SBS. As its the only server which acts as DC, Web Server, Firewall, Exchange etc.

Keep your server fully patched and update your antivirus regularly and you should be ok.

0
 
LVL 12

Accepted Solution

by:
Phil_Agcaoili earned 750 total points
ID: 17105956
That's a bad idea.

It's better to separate the functions to 2 machines.

One machine exposed to the Net with Remote Access/VPN or RDP enabled and then the second machine running whatever else that needs to be available for internal users AND protected.

You create a DMZ (3rd) leg off of the PIX where the Internet server is connected.
Lock down rules to that box from the Net, from the internal network, and what that server is allowed to do out of the DMZ. Make sure all unecessary services are turned off and the system is patched regularly (this should be easier since less is running on it). Consider running 2-factor authentication on this server since it's external facing.

The internal server can run whatever you need for it to run. Keep it patched and offer different authentication credentials than what is required for the DMZ server.

I hear about hacked systems all of the time with the configuration that you are proposing.
0
 
LVL 13

Assisted Solution

by:prashsax
prashsax earned 750 total points
ID: 17106042
Phil what you are proposing is standard config, and indeed secure.

But what I was talking about was case of Microsoft SBS. Its a single machine which run everything for a domain.

And people does publish it using ISA Firewall.

So, all I am saying is that yes, people do publish their domain controller with two NICs, But its generally behind a firewall.

Since he has PIX, he can set this machine up behind the firewall.
The way to secure it to allow connection from outside on port 80. The domain controller itself should not be allowed to access internet. So no access from inside to outside on any port.
Rest is as I have already mentioned, Patch up the machine, Update AV, and it will remain secure.


0
 
LVL 12

Expert Comment

by:Phil_Agcaoili
ID: 17108360
I hear what you are saying, I'm not a fan of running everything on one box which is what he is proposing ("enable IIS (company intranet/extranet) and possibly Remote Access/VPN on a Windows 2003 domain controller. The server has two Nics and I would like one of them to face the Internet and the other to face the LAN").

I say separate the functions, thinking inside machine (i.e. DC with 1 NIC) and outside remote access system (the Remote Access/VPN).

If the outside machine is compromised, he's not up the creek because only the outside machine has been lost.  His internal users can still work, safet and secure because the functions are separated.

I think it's best to look like this to mitigate the threat of a compromise:

     Remote Access/VPN (DMZ)
                    |
                    |
Internet------PIX------SBS/DC

I'm with you on the patch, AV, and system hardening path.

The good news is that the DMZ system and the DC have more simplistic patching requirements now that applications like IIS are spread amongst several systems and patch testing is much simpler because there are less dependanices.

Again, just my $0.02
0
 

Author Comment

by:tomc3000
ID: 17124236
Thanks for the input.   I'll look into getting a separate server for the VPN/Remote access functionality as it seems this would be most secure.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question