Security doubt when replicating Active Directory over a firewall

Posted on 2007-10-11
Last Modified: 2010-04-11

I have and Exchange Server placed in my DMZ that is also a DC for my domain. Demoting it to member server is not supported by Microsoft ( so I have to deal with AD replication through my FW.

I have followed this Microsoft document :
that although written for Windows 2000 is valid for Windows 2003.

I have followed the (theoretically) most secure approach of encapsulating traffic between DMZ and Internal DCs through IPSec.

My question is this :

Which is the difference between doing this, most secure solution, and just full opening traffic between DMZ DC and Internal DCs (first option in the document) ?.

I realize that obviously, there are far less involved ports that I have to open in my firewall between servers (just IP 50 , 51 and udp 500), but anyway what I am doing is to encapsulate ALL traffic between DMZ DC and the rest of internal DCs, so if someone hacks my Exchange Server, he/she will have anyhow open access to my internal DCs through the IPSec channel (with the other option she/he will have just direct access through the "hole" in my FW).

I think I am missing something here ...



Question by:perehospital
    LVL 18

    Expert Comment

    The difference is important when you have more then one server in your DMZ.
    If you have a web server in there and it gets hacked, it would not be possible to eavesdrop your all import AD communication when using IPSEC.
    Although I'm wondering why you have a DC in your DMZ. In general that's not a good idea. An exchange in DMZ should only be a front-end server without any domain info on it.

    LVL 1

    Author Comment

    Hi J, thanks,

    I can see the point in there. But this means that if the Exchange server gets hacked then i have a serious problem anyway.

    And the Exchange Server is a DC because I "inherited" it like this. As I told, I thought about demoting it (cause I have 2 DCs in my internal network), but then I found that this was not possible/advisable.

    And I think that it is better to have an Exchange Server (even if it is a DC) in the DMZ (protecting AD traffic), than place it in my internal network and DNAT SMTP internet connections to the Exchange Server in my internal network. Isn't it ?


    LVL 18

    Accepted Solution

    Not really, with everything you have to open between your DMZ and internal network, security wise it does not matter.
    If you want to make it secure then your best option is destroying your inheritance and start from scratch.
    If your firewall has an good IPS for SMTP and you environment are not in a high secure or highly regulated environment, then you can leave it as it is.

    LVL 1

    Author Comment

    Thanks a lot J, very useful thoughts.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now