Solved

One way trust

Posted on 2008-06-23
7
827 Views
Last Modified: 2011-04-14
We are currently setting up an external sharepoint solution which requires a one way trust from our internal AD to a new external AD in the DMZ.  

We are aware of the ports needed to facilitate this ( as documented by MSFT ) but want to know what are the inherent security risks we are introducing by doing this.  

We are using ISA server to proxy the external user requests.
0
Comment
Question by:attridget
  • 4
  • 3
7 Comments
 
LVL 13

Expert Comment

by:TheCapedPlodder
ID: 21846762
Which direction is the trust going to be?

If the DMZ domain trusts the Internal domain then that's fine.

If the Internal domain trusts the DMZ domain then you are slightly less secure.  I assume the DMZ domain will not be accessible directly from the outside world?  If so you should be OK.  I would run the security configuration wizard on the DMZ domain controller to ensure it is locked down to the bare bones, also ensure it is running no unneeded services and is fully patched.

Rename all built-in user accounts on the DMZ domain and use complex passwords across the board.

Also, it goes without saying that you should limit the number of open ports between the outside world and the DMZ servers.  If you want to be paranoid you could put the DMZ DC in a seperate DMZ to the sharepoint/ISA servers and lock down the ports between them.  Finally ensure the minimum number of ports between your internal and external DC's.
0
 

Author Comment

by:attridget
ID: 21846925
The solution will be whatever makes most sense from a security standpoint.
0
 
LVL 13

Expert Comment

by:TheCapedPlodder
ID: 21847036
OK, let me put it another way.  Which domain needs to see users and groups from the other?

Does the DMZ domain need to access the users and groups of the Internal domain or vice-a-versa?

I assumed from the phrase "equires a one way trust from our internal AD to a new external AD in the DMZ" that you had already designed the solution.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:attridget
ID: 21847066
DMZ needs to see the internal AD groups.

The design has been ' floated ' around - always open to comments and suggestions.  It seems to be the standard - with that in mind am looking for pitfalls and considerations.
0
 
LVL 13

Expert Comment

by:TheCapedPlodder
ID: 21847088
I suspected you would say that as it is the more secure of the two approaches.

What other servers will exist in the DMZ domain as they will need access to the internal domain controllers?
0
 

Author Comment

by:attridget
ID: 21847511
Sharepoint MOS2007, SQL and AD/DNS.  The ISA is an applicance.
0
 
LVL 13

Accepted Solution

by:
TheCapedPlodder earned 500 total points
ID: 21849728
OK.  So referring to my first post create the trust one way from the DMZ DC to the Internal DC that holds the PDC Emulator role.  Ensure all devices in the DMZ are fully patched and run the Security Configuration Wizard against them all to close unnecessary ports and stop unneeded services.  Also run correctly configured AV on the MOS and SQL servers.

Obviously limit the ports between the DMZ and Internal network to the required ports and hosts.

Hope this helps.

Cheers,

TCP
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now