Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Is there a secure way to run Internet services on a Windows 2003 domain controller?

Posted on 2006-07-12
8
239 Views
Last Modified: 2013-12-04
I would like to enable IIS (company intranet/extranet) and possibly Remote Access/VPN on a Windows 2003 domain controller. The server has two Nics and I would like one of them to face the Internet and the other to face the LAN. The NIC on the Internet could sit behind a PIX 501 if necessary. Is there a secure way to configure this type of setup or is it generally not done?
0
Comment
Question by:tomc3000
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 13

Expert Comment

by:prashsax
ID: 17094475
If you have a PIX, then you do not require two NICs on your server.

Just NAT a public IP on PIX and your server will be accessible from internet.

Then you could open specific ports like port 80 for web server.

As for VPN, PIX can host VPN for you and clients from outside can access your internal network after connecting using VPN.

If you do not have a PIX then you need two NICs and safely put your server on internet. Just make sure you have defined access-list on your internet router so that no all ports are open.

Otherwise you can use Windows Firewall to defend your sever on internet.
0
 

Author Comment

by:tomc3000
ID: 17095541
Ok, I know I can forward ports as necessary, is this safe to do considering the ports are being directed to a Primary Domain Controller?
0
 
LVL 37

Expert Comment

by:bbao
ID: 17099006
at any time, only looking out one door or window is not enough for protecting a house. you may combine server means to protect your W2K3 server:

1. setup a hardware firewall between the internet and your DMZ
2. forward incoming traffic (port based) to internal server only as needed
3. disable unnecessary services on W2K3
4. disable unnecessary ports on the external adapter of W2K3 which stays on the same DMZ subnet as your firewall's LAN port, by either W2K3's built-in FW or a 3rd party one
5. disable guest account on PDC
6. enable strong password policy on PDC
7. disable remote desktop connection from internet IPs, as well as internal ones if necessary
8. enable audit on PDC, for both successful and unsucessful events
9. consider another DC as backup
10. backup the PDC timely
11. ... more and more, depends on your business requirements

hope it helps,
bbao
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 13

Expert Comment

by:prashsax
ID: 17099500
Well, as long as only port 80(HTTP) and 1723(GRE) is forwarded it will not have any problems.

This is very common with people using SBS. As its the only server which acts as DC, Web Server, Firewall, Exchange etc.

Keep your server fully patched and update your antivirus regularly and you should be ok.

0
 
LVL 12

Accepted Solution

by:
Phil_Agcaoili earned 250 total points
ID: 17105956
That's a bad idea.

It's better to separate the functions to 2 machines.

One machine exposed to the Net with Remote Access/VPN or RDP enabled and then the second machine running whatever else that needs to be available for internal users AND protected.

You create a DMZ (3rd) leg off of the PIX where the Internet server is connected.
Lock down rules to that box from the Net, from the internal network, and what that server is allowed to do out of the DMZ. Make sure all unecessary services are turned off and the system is patched regularly (this should be easier since less is running on it). Consider running 2-factor authentication on this server since it's external facing.

The internal server can run whatever you need for it to run. Keep it patched and offer different authentication credentials than what is required for the DMZ server.

I hear about hacked systems all of the time with the configuration that you are proposing.
0
 
LVL 13

Assisted Solution

by:prashsax
prashsax earned 250 total points
ID: 17106042
Phil what you are proposing is standard config, and indeed secure.

But what I was talking about was case of Microsoft SBS. Its a single machine which run everything for a domain.

And people does publish it using ISA Firewall.

So, all I am saying is that yes, people do publish their domain controller with two NICs, But its generally behind a firewall.

Since he has PIX, he can set this machine up behind the firewall.
The way to secure it to allow connection from outside on port 80. The domain controller itself should not be allowed to access internet. So no access from inside to outside on any port.
Rest is as I have already mentioned, Patch up the machine, Update AV, and it will remain secure.


0
 
LVL 12

Expert Comment

by:Phil_Agcaoili
ID: 17108360
I hear what you are saying, I'm not a fan of running everything on one box which is what he is proposing ("enable IIS (company intranet/extranet) and possibly Remote Access/VPN on a Windows 2003 domain controller. The server has two Nics and I would like one of them to face the Internet and the other to face the LAN").

I say separate the functions, thinking inside machine (i.e. DC with 1 NIC) and outside remote access system (the Remote Access/VPN).

If the outside machine is compromised, he's not up the creek because only the outside machine has been lost.  His internal users can still work, safet and secure because the functions are separated.

I think it's best to look like this to mitigate the threat of a compromise:

     Remote Access/VPN (DMZ)
                    |
                    |
Internet------PIX------SBS/DC

I'm with you on the patch, AV, and system hardening path.

The good news is that the DMZ system and the DC have more simplistic patching requirements now that applications like IIS are spread amongst several systems and patch testing is much simpler because there are less dependanices.

Again, just my $0.02
0
 

Author Comment

by:tomc3000
ID: 17124236
Thanks for the input.   I'll look into getting a separate server for the VPN/Remote access functionality as it seems this would be most secure.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question