Would a Multi-Homed W2K3 Server Placed in DMZ Comprimise LAN Security?

Super tight budget, approved to add only 1 server to W2K3 A.D. based LAN protected by Cisco PIX 515 FW.

To maximize the value of the new W2K3 Server, I would love to be able to use it for more than just a Web & FTP server in the DMZ because the internal LAN could well use another file server and I also need another LAN based Windows server to install M.S. Live Communication Server on as well.

My question is: From  security standpoint would it be foolish to put 2 NICs in the new Windows Server 2003 system to connect it to both the DMZ and the internal LAN simultaneously?  

My thought is the multi-homed configuration would allow the computer to be the Web & FTP server to the outside world while LAN clients could also utilize it as File Server & M.S LCS server belonging to the A.D. domain.

My fear is multi-homing a Windows Server in this way possibly defeats the security isolation now present between public (DMZ) & private (LAN) subnets provided by the PIX Firewall should an outsider mis-use the HTTP or FTP access to the new Windows server to hack into it?
dealvisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

stronglineCommented:
I don't want to do that, for sure. And you've had the answer.

Compromise of the server means compromise of your LAN.
0
PowerITCommented:
Your fear is warranted.
When the server is compromised then the next step would be your LAN.
You would indeed nullify the DMZ.
The only justified scenario that I'm aware off where this is done is in IDS: putting an IP-less probe in the DMZ.

J.
0
lrmooreCommented:
Agree with all above. It would certainly defeat the purpose of having the server isolated in a DMZ. You might consider taking an old PC, loading up Linux for your WWW/FTP server, and move this Windows server into your inside network.

Think about it this way - Windows is the most insecure operating system, and the most attacked operating system in the world. It just doesn't make sense to put your border security in the hands of swiss cheeze that has to be patched every month.
Microsoft does not sell routers for good reason. Windows can route between interfaces,  but will never have all the functions and features and security of a real router.
Microsoft doesn't sell firewalls. Yes, some will argue that ISA is a firewall, but it is still a software application that rides on top of the swiss cheese operating system.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.