Solved

One way trust

Posted on 2008-06-23
7
818 Views
Last Modified: 2011-04-14
We are currently setting up an external sharepoint solution which requires a one way trust from our internal AD to a new external AD in the DMZ.  

We are aware of the ports needed to facilitate this ( as documented by MSFT ) but want to know what are the inherent security risks we are introducing by doing this.  

We are using ISA server to proxy the external user requests.
0
Comment
Question by:attridget
  • 4
  • 3
7 Comments
 
LVL 13

Expert Comment

by:TheCapedPlodder
ID: 21846762
Which direction is the trust going to be?

If the DMZ domain trusts the Internal domain then that's fine.

If the Internal domain trusts the DMZ domain then you are slightly less secure.  I assume the DMZ domain will not be accessible directly from the outside world?  If so you should be OK.  I would run the security configuration wizard on the DMZ domain controller to ensure it is locked down to the bare bones, also ensure it is running no unneeded services and is fully patched.

Rename all built-in user accounts on the DMZ domain and use complex passwords across the board.

Also, it goes without saying that you should limit the number of open ports between the outside world and the DMZ servers.  If you want to be paranoid you could put the DMZ DC in a seperate DMZ to the sharepoint/ISA servers and lock down the ports between them.  Finally ensure the minimum number of ports between your internal and external DC's.
0
 

Author Comment

by:attridget
ID: 21846925
The solution will be whatever makes most sense from a security standpoint.
0
 
LVL 13

Expert Comment

by:TheCapedPlodder
ID: 21847036
OK, let me put it another way.  Which domain needs to see users and groups from the other?

Does the DMZ domain need to access the users and groups of the Internal domain or vice-a-versa?

I assumed from the phrase "equires a one way trust from our internal AD to a new external AD in the DMZ" that you had already designed the solution.
0
 

Author Comment

by:attridget
ID: 21847066
DMZ needs to see the internal AD groups.

The design has been ' floated ' around - always open to comments and suggestions.  It seems to be the standard - with that in mind am looking for pitfalls and considerations.
0
 
LVL 13

Expert Comment

by:TheCapedPlodder
ID: 21847088
I suspected you would say that as it is the more secure of the two approaches.

What other servers will exist in the DMZ domain as they will need access to the internal domain controllers?
0
 

Author Comment

by:attridget
ID: 21847511
Sharepoint MOS2007, SQL and AD/DNS.  The ISA is an applicance.
0
 
LVL 13

Accepted Solution

by:
TheCapedPlodder earned 500 total points
ID: 21849728
OK.  So referring to my first post create the trust one way from the DMZ DC to the Internal DC that holds the PDC Emulator role.  Ensure all devices in the DMZ are fully patched and run the Security Configuration Wizard against them all to close unnecessary ports and stop unneeded services.  Also run correctly configured AV on the MOS and SQL servers.

Obviously limit the ports between the DMZ and Internal network to the required ports and hosts.

Hope this helps.

Cheers,

TCP
0

Join & Write a Comment

Suggested Solutions

Summary In SharePoint 2010 it is easy to create custom color themes to jazz up a site. Theme colors can also be created in PowerPoint 2010 with a few clicks. But how do the chosen colors actually look in the SharePoint site? The attached PowerPoint…
I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now