• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 892
  • Last Modified:

One way trust

We are currently setting up an external sharepoint solution which requires a one way trust from our internal AD to a new external AD in the DMZ.  

We are aware of the ports needed to facilitate this ( as documented by MSFT ) but want to know what are the inherent security risks we are introducing by doing this.  

We are using ISA server to proxy the external user requests.
0
attridget
Asked:
attridget
  • 4
  • 3
1 Solution
 
TheCapedPlodderCommented:
Which direction is the trust going to be?

If the DMZ domain trusts the Internal domain then that's fine.

If the Internal domain trusts the DMZ domain then you are slightly less secure.  I assume the DMZ domain will not be accessible directly from the outside world?  If so you should be OK.  I would run the security configuration wizard on the DMZ domain controller to ensure it is locked down to the bare bones, also ensure it is running no unneeded services and is fully patched.

Rename all built-in user accounts on the DMZ domain and use complex passwords across the board.

Also, it goes without saying that you should limit the number of open ports between the outside world and the DMZ servers.  If you want to be paranoid you could put the DMZ DC in a seperate DMZ to the sharepoint/ISA servers and lock down the ports between them.  Finally ensure the minimum number of ports between your internal and external DC's.
0
 
attridgetAuthor Commented:
The solution will be whatever makes most sense from a security standpoint.
0
 
TheCapedPlodderCommented:
OK, let me put it another way.  Which domain needs to see users and groups from the other?

Does the DMZ domain need to access the users and groups of the Internal domain or vice-a-versa?

I assumed from the phrase "equires a one way trust from our internal AD to a new external AD in the DMZ" that you had already designed the solution.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell┬« is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
attridgetAuthor Commented:
DMZ needs to see the internal AD groups.

The design has been ' floated ' around - always open to comments and suggestions.  It seems to be the standard - with that in mind am looking for pitfalls and considerations.
0
 
TheCapedPlodderCommented:
I suspected you would say that as it is the more secure of the two approaches.

What other servers will exist in the DMZ domain as they will need access to the internal domain controllers?
0
 
attridgetAuthor Commented:
Sharepoint MOS2007, SQL and AD/DNS.  The ISA is an applicance.
0
 
TheCapedPlodderCommented:
OK.  So referring to my first post create the trust one way from the DMZ DC to the Internal DC that holds the PDC Emulator role.  Ensure all devices in the DMZ are fully patched and run the Security Configuration Wizard against them all to close unnecessary ports and stop unneeded services.  Also run correctly configured AV on the MOS and SQL servers.

Obviously limit the ports between the DMZ and Internal network to the required ports and hosts.

Hope this helps.

Cheers,

TCP
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now