Solved

Is there a secure way to run Internet services on a Windows 2003 domain controller?

Posted on 2006-07-12
8
238 Views
Last Modified: 2013-12-04
I would like to enable IIS (company intranet/extranet) and possibly Remote Access/VPN on a Windows 2003 domain controller. The server has two Nics and I would like one of them to face the Internet and the other to face the LAN. The NIC on the Internet could sit behind a PIX 501 if necessary. Is there a secure way to configure this type of setup or is it generally not done?
0
Comment
Question by:tomc3000
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 13

Expert Comment

by:prashsax
ID: 17094475
If you have a PIX, then you do not require two NICs on your server.

Just NAT a public IP on PIX and your server will be accessible from internet.

Then you could open specific ports like port 80 for web server.

As for VPN, PIX can host VPN for you and clients from outside can access your internal network after connecting using VPN.

If you do not have a PIX then you need two NICs and safely put your server on internet. Just make sure you have defined access-list on your internet router so that no all ports are open.

Otherwise you can use Windows Firewall to defend your sever on internet.
0
 

Author Comment

by:tomc3000
ID: 17095541
Ok, I know I can forward ports as necessary, is this safe to do considering the ports are being directed to a Primary Domain Controller?
0
 
LVL 37

Expert Comment

by:bbao
ID: 17099006
at any time, only looking out one door or window is not enough for protecting a house. you may combine server means to protect your W2K3 server:

1. setup a hardware firewall between the internet and your DMZ
2. forward incoming traffic (port based) to internal server only as needed
3. disable unnecessary services on W2K3
4. disable unnecessary ports on the external adapter of W2K3 which stays on the same DMZ subnet as your firewall's LAN port, by either W2K3's built-in FW or a 3rd party one
5. disable guest account on PDC
6. enable strong password policy on PDC
7. disable remote desktop connection from internet IPs, as well as internal ones if necessary
8. enable audit on PDC, for both successful and unsucessful events
9. consider another DC as backup
10. backup the PDC timely
11. ... more and more, depends on your business requirements

hope it helps,
bbao
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 13

Expert Comment

by:prashsax
ID: 17099500
Well, as long as only port 80(HTTP) and 1723(GRE) is forwarded it will not have any problems.

This is very common with people using SBS. As its the only server which acts as DC, Web Server, Firewall, Exchange etc.

Keep your server fully patched and update your antivirus regularly and you should be ok.

0
 
LVL 12

Accepted Solution

by:
Phil_Agcaoili earned 250 total points
ID: 17105956
That's a bad idea.

It's better to separate the functions to 2 machines.

One machine exposed to the Net with Remote Access/VPN or RDP enabled and then the second machine running whatever else that needs to be available for internal users AND protected.

You create a DMZ (3rd) leg off of the PIX where the Internet server is connected.
Lock down rules to that box from the Net, from the internal network, and what that server is allowed to do out of the DMZ. Make sure all unecessary services are turned off and the system is patched regularly (this should be easier since less is running on it). Consider running 2-factor authentication on this server since it's external facing.

The internal server can run whatever you need for it to run. Keep it patched and offer different authentication credentials than what is required for the DMZ server.

I hear about hacked systems all of the time with the configuration that you are proposing.
0
 
LVL 13

Assisted Solution

by:prashsax
prashsax earned 250 total points
ID: 17106042
Phil what you are proposing is standard config, and indeed secure.

But what I was talking about was case of Microsoft SBS. Its a single machine which run everything for a domain.

And people does publish it using ISA Firewall.

So, all I am saying is that yes, people do publish their domain controller with two NICs, But its generally behind a firewall.

Since he has PIX, he can set this machine up behind the firewall.
The way to secure it to allow connection from outside on port 80. The domain controller itself should not be allowed to access internet. So no access from inside to outside on any port.
Rest is as I have already mentioned, Patch up the machine, Update AV, and it will remain secure.


0
 
LVL 12

Expert Comment

by:Phil_Agcaoili
ID: 17108360
I hear what you are saying, I'm not a fan of running everything on one box which is what he is proposing ("enable IIS (company intranet/extranet) and possibly Remote Access/VPN on a Windows 2003 domain controller. The server has two Nics and I would like one of them to face the Internet and the other to face the LAN").

I say separate the functions, thinking inside machine (i.e. DC with 1 NIC) and outside remote access system (the Remote Access/VPN).

If the outside machine is compromised, he's not up the creek because only the outside machine has been lost.  His internal users can still work, safet and secure because the functions are separated.

I think it's best to look like this to mitigate the threat of a compromise:

     Remote Access/VPN (DMZ)
                    |
                    |
Internet------PIX------SBS/DC

I'm with you on the patch, AV, and system hardening path.

The good news is that the DMZ system and the DC have more simplistic patching requirements now that applications like IIS are spread amongst several systems and patch testing is much simpler because there are less dependanices.

Again, just my $0.02
0
 

Author Comment

by:tomc3000
ID: 17124236
Thanks for the input.   I'll look into getting a separate server for the VPN/Remote access functionality as it seems this would be most secure.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question