Solved

Is there a secure way to run Internet services on a Windows 2003 domain controller?

Posted on 2006-07-12
8
237 Views
Last Modified: 2013-12-04
I would like to enable IIS (company intranet/extranet) and possibly Remote Access/VPN on a Windows 2003 domain controller. The server has two Nics and I would like one of them to face the Internet and the other to face the LAN. The NIC on the Internet could sit behind a PIX 501 if necessary. Is there a secure way to configure this type of setup or is it generally not done?
0
Comment
Question by:tomc3000
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 13

Expert Comment

by:prashsax
Comment Utility
If you have a PIX, then you do not require two NICs on your server.

Just NAT a public IP on PIX and your server will be accessible from internet.

Then you could open specific ports like port 80 for web server.

As for VPN, PIX can host VPN for you and clients from outside can access your internal network after connecting using VPN.

If you do not have a PIX then you need two NICs and safely put your server on internet. Just make sure you have defined access-list on your internet router so that no all ports are open.

Otherwise you can use Windows Firewall to defend your sever on internet.
0
 

Author Comment

by:tomc3000
Comment Utility
Ok, I know I can forward ports as necessary, is this safe to do considering the ports are being directed to a Primary Domain Controller?
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
at any time, only looking out one door or window is not enough for protecting a house. you may combine server means to protect your W2K3 server:

1. setup a hardware firewall between the internet and your DMZ
2. forward incoming traffic (port based) to internal server only as needed
3. disable unnecessary services on W2K3
4. disable unnecessary ports on the external adapter of W2K3 which stays on the same DMZ subnet as your firewall's LAN port, by either W2K3's built-in FW or a 3rd party one
5. disable guest account on PDC
6. enable strong password policy on PDC
7. disable remote desktop connection from internet IPs, as well as internal ones if necessary
8. enable audit on PDC, for both successful and unsucessful events
9. consider another DC as backup
10. backup the PDC timely
11. ... more and more, depends on your business requirements

hope it helps,
bbao
0
 
LVL 13

Expert Comment

by:prashsax
Comment Utility
Well, as long as only port 80(HTTP) and 1723(GRE) is forwarded it will not have any problems.

This is very common with people using SBS. As its the only server which acts as DC, Web Server, Firewall, Exchange etc.

Keep your server fully patched and update your antivirus regularly and you should be ok.

0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 12

Accepted Solution

by:
Phil_Agcaoili earned 250 total points
Comment Utility
That's a bad idea.

It's better to separate the functions to 2 machines.

One machine exposed to the Net with Remote Access/VPN or RDP enabled and then the second machine running whatever else that needs to be available for internal users AND protected.

You create a DMZ (3rd) leg off of the PIX where the Internet server is connected.
Lock down rules to that box from the Net, from the internal network, and what that server is allowed to do out of the DMZ. Make sure all unecessary services are turned off and the system is patched regularly (this should be easier since less is running on it). Consider running 2-factor authentication on this server since it's external facing.

The internal server can run whatever you need for it to run. Keep it patched and offer different authentication credentials than what is required for the DMZ server.

I hear about hacked systems all of the time with the configuration that you are proposing.
0
 
LVL 13

Assisted Solution

by:prashsax
prashsax earned 250 total points
Comment Utility
Phil what you are proposing is standard config, and indeed secure.

But what I was talking about was case of Microsoft SBS. Its a single machine which run everything for a domain.

And people does publish it using ISA Firewall.

So, all I am saying is that yes, people do publish their domain controller with two NICs, But its generally behind a firewall.

Since he has PIX, he can set this machine up behind the firewall.
The way to secure it to allow connection from outside on port 80. The domain controller itself should not be allowed to access internet. So no access from inside to outside on any port.
Rest is as I have already mentioned, Patch up the machine, Update AV, and it will remain secure.


0
 
LVL 12

Expert Comment

by:Phil_Agcaoili
Comment Utility
I hear what you are saying, I'm not a fan of running everything on one box which is what he is proposing ("enable IIS (company intranet/extranet) and possibly Remote Access/VPN on a Windows 2003 domain controller. The server has two Nics and I would like one of them to face the Internet and the other to face the LAN").

I say separate the functions, thinking inside machine (i.e. DC with 1 NIC) and outside remote access system (the Remote Access/VPN).

If the outside machine is compromised, he's not up the creek because only the outside machine has been lost.  His internal users can still work, safet and secure because the functions are separated.

I think it's best to look like this to mitigate the threat of a compromise:

     Remote Access/VPN (DMZ)
                    |
                    |
Internet------PIX------SBS/DC

I'm with you on the patch, AV, and system hardening path.

The good news is that the DMZ system and the DC have more simplistic patching requirements now that applications like IIS are spread amongst several systems and patch testing is much simpler because there are less dependanices.

Again, just my $0.02
0
 

Author Comment

by:tomc3000
Comment Utility
Thanks for the input.   I'll look into getting a separate server for the VPN/Remote access functionality as it seems this would be most secure.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now