[Last Call] Learn how to a build a cloud-first strategyRegister Now


Is there a secure way to run Internet services on a Windows 2003 domain controller?

Posted on 2006-07-12
Medium Priority
Last Modified: 2013-12-04
I would like to enable IIS (company intranet/extranet) and possibly Remote Access/VPN on a Windows 2003 domain controller. The server has two Nics and I would like one of them to face the Internet and the other to face the LAN. The NIC on the Internet could sit behind a PIX 501 if necessary. Is there a secure way to configure this type of setup or is it generally not done?
Question by:tomc3000
  • 3
  • 2
  • 2
  • +1
LVL 13

Expert Comment

ID: 17094475
If you have a PIX, then you do not require two NICs on your server.

Just NAT a public IP on PIX and your server will be accessible from internet.

Then you could open specific ports like port 80 for web server.

As for VPN, PIX can host VPN for you and clients from outside can access your internal network after connecting using VPN.

If you do not have a PIX then you need two NICs and safely put your server on internet. Just make sure you have defined access-list on your internet router so that no all ports are open.

Otherwise you can use Windows Firewall to defend your sever on internet.

Author Comment

ID: 17095541
Ok, I know I can forward ports as necessary, is this safe to do considering the ports are being directed to a Primary Domain Controller?
LVL 37

Expert Comment

ID: 17099006
at any time, only looking out one door or window is not enough for protecting a house. you may combine server means to protect your W2K3 server:

1. setup a hardware firewall between the internet and your DMZ
2. forward incoming traffic (port based) to internal server only as needed
3. disable unnecessary services on W2K3
4. disable unnecessary ports on the external adapter of W2K3 which stays on the same DMZ subnet as your firewall's LAN port, by either W2K3's built-in FW or a 3rd party one
5. disable guest account on PDC
6. enable strong password policy on PDC
7. disable remote desktop connection from internet IPs, as well as internal ones if necessary
8. enable audit on PDC, for both successful and unsucessful events
9. consider another DC as backup
10. backup the PDC timely
11. ... more and more, depends on your business requirements

hope it helps,
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 13

Expert Comment

ID: 17099500
Well, as long as only port 80(HTTP) and 1723(GRE) is forwarded it will not have any problems.

This is very common with people using SBS. As its the only server which acts as DC, Web Server, Firewall, Exchange etc.

Keep your server fully patched and update your antivirus regularly and you should be ok.

LVL 12

Accepted Solution

Phil_Agcaoili earned 750 total points
ID: 17105956
That's a bad idea.

It's better to separate the functions to 2 machines.

One machine exposed to the Net with Remote Access/VPN or RDP enabled and then the second machine running whatever else that needs to be available for internal users AND protected.

You create a DMZ (3rd) leg off of the PIX where the Internet server is connected.
Lock down rules to that box from the Net, from the internal network, and what that server is allowed to do out of the DMZ. Make sure all unecessary services are turned off and the system is patched regularly (this should be easier since less is running on it). Consider running 2-factor authentication on this server since it's external facing.

The internal server can run whatever you need for it to run. Keep it patched and offer different authentication credentials than what is required for the DMZ server.

I hear about hacked systems all of the time with the configuration that you are proposing.
LVL 13

Assisted Solution

prashsax earned 750 total points
ID: 17106042
Phil what you are proposing is standard config, and indeed secure.

But what I was talking about was case of Microsoft SBS. Its a single machine which run everything for a domain.

And people does publish it using ISA Firewall.

So, all I am saying is that yes, people do publish their domain controller with two NICs, But its generally behind a firewall.

Since he has PIX, he can set this machine up behind the firewall.
The way to secure it to allow connection from outside on port 80. The domain controller itself should not be allowed to access internet. So no access from inside to outside on any port.
Rest is as I have already mentioned, Patch up the machine, Update AV, and it will remain secure.

LVL 12

Expert Comment

ID: 17108360
I hear what you are saying, I'm not a fan of running everything on one box which is what he is proposing ("enable IIS (company intranet/extranet) and possibly Remote Access/VPN on a Windows 2003 domain controller. The server has two Nics and I would like one of them to face the Internet and the other to face the LAN").

I say separate the functions, thinking inside machine (i.e. DC with 1 NIC) and outside remote access system (the Remote Access/VPN).

If the outside machine is compromised, he's not up the creek because only the outside machine has been lost.  His internal users can still work, safet and secure because the functions are separated.

I think it's best to look like this to mitigate the threat of a compromise:

     Remote Access/VPN (DMZ)

I'm with you on the patch, AV, and system hardening path.

The good news is that the DMZ system and the DC have more simplistic patching requirements now that applications like IIS are spread amongst several systems and patch testing is much simpler because there are less dependanices.

Again, just my $0.02

Author Comment

ID: 17124236
Thanks for the input.   I'll look into getting a separate server for the VPN/Remote access functionality as it seems this would be most secure.

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question