tomc3000
asked on
Is there a secure way to run Internet services on a Windows 2003 domain controller?
I would like to enable IIS (company intranet/extranet) and possibly Remote Access/VPN on a Windows 2003 domain controller. The server has two Nics and I would like one of them to face the Internet and the other to face the LAN. The NIC on the Internet could sit behind a PIX 501 if necessary. Is there a secure way to configure this type of setup or is it generally not done?
ASKER
Ok, I know I can forward ports as necessary, is this safe to do considering the ports are being directed to a Primary Domain Controller?
at any time, only looking out one door or window is not enough for protecting a house. you may combine server means to protect your W2K3 server:
1. setup a hardware firewall between the internet and your DMZ
2. forward incoming traffic (port based) to internal server only as needed
3. disable unnecessary services on W2K3
4. disable unnecessary ports on the external adapter of W2K3 which stays on the same DMZ subnet as your firewall's LAN port, by either W2K3's built-in FW or a 3rd party one
5. disable guest account on PDC
6. enable strong password policy on PDC
7. disable remote desktop connection from internet IPs, as well as internal ones if necessary
8. enable audit on PDC, for both successful and unsucessful events
9. consider another DC as backup
10. backup the PDC timely
11. ... more and more, depends on your business requirements
hope it helps,
bbao
1. setup a hardware firewall between the internet and your DMZ
2. forward incoming traffic (port based) to internal server only as needed
3. disable unnecessary services on W2K3
4. disable unnecessary ports on the external adapter of W2K3 which stays on the same DMZ subnet as your firewall's LAN port, by either W2K3's built-in FW or a 3rd party one
5. disable guest account on PDC
6. enable strong password policy on PDC
7. disable remote desktop connection from internet IPs, as well as internal ones if necessary
8. enable audit on PDC, for both successful and unsucessful events
9. consider another DC as backup
10. backup the PDC timely
11. ... more and more, depends on your business requirements
hope it helps,
bbao
Well, as long as only port 80(HTTP) and 1723(GRE) is forwarded it will not have any problems.
This is very common with people using SBS. As its the only server which acts as DC, Web Server, Firewall, Exchange etc.
Keep your server fully patched and update your antivirus regularly and you should be ok.
This is very common with people using SBS. As its the only server which acts as DC, Web Server, Firewall, Exchange etc.
Keep your server fully patched and update your antivirus regularly and you should be ok.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I hear what you are saying, I'm not a fan of running everything on one box which is what he is proposing ("enable IIS (company intranet/extranet) and possibly Remote Access/VPN on a Windows 2003 domain controller. The server has two Nics and I would like one of them to face the Internet and the other to face the LAN").
I say separate the functions, thinking inside machine (i.e. DC with 1 NIC) and outside remote access system (the Remote Access/VPN).
If the outside machine is compromised, he's not up the creek because only the outside machine has been lost. His internal users can still work, safet and secure because the functions are separated.
I think it's best to look like this to mitigate the threat of a compromise:
Remote Access/VPN (DMZ)
|
|
Internet------PIX------SBS
I'm with you on the patch, AV, and system hardening path.
The good news is that the DMZ system and the DC have more simplistic patching requirements now that applications like IIS are spread amongst several systems and patch testing is much simpler because there are less dependanices.
Again, just my $0.02
I say separate the functions, thinking inside machine (i.e. DC with 1 NIC) and outside remote access system (the Remote Access/VPN).
If the outside machine is compromised, he's not up the creek because only the outside machine has been lost. His internal users can still work, safet and secure because the functions are separated.
I think it's best to look like this to mitigate the threat of a compromise:
Remote Access/VPN (DMZ)
|
|
Internet------PIX------SBS
I'm with you on the patch, AV, and system hardening path.
The good news is that the DMZ system and the DC have more simplistic patching requirements now that applications like IIS are spread amongst several systems and patch testing is much simpler because there are less dependanices.
Again, just my $0.02
ASKER
Thanks for the input. I'll look into getting a separate server for the VPN/Remote access functionality as it seems this would be most secure.
Just NAT a public IP on PIX and your server will be accessible from internet.
Then you could open specific ports like port 80 for web server.
As for VPN, PIX can host VPN for you and clients from outside can access your internal network after connecting using VPN.
If you do not have a PIX then you need two NICs and safely put your server on internet. Just make sure you have defined access-list on your internet router so that no all ports are open.
Otherwise you can use Windows Firewall to defend your sever on internet.