Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

One way trust

Posted on 2008-06-23
7
Medium Priority
?
881 Views
Last Modified: 2011-04-14
We are currently setting up an external sharepoint solution which requires a one way trust from our internal AD to a new external AD in the DMZ.  

We are aware of the ports needed to facilitate this ( as documented by MSFT ) but want to know what are the inherent security risks we are introducing by doing this.  

We are using ISA server to proxy the external user requests.
0
Comment
Question by:attridget
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 13

Expert Comment

by:TheCapedPlodder
ID: 21846762
Which direction is the trust going to be?

If the DMZ domain trusts the Internal domain then that's fine.

If the Internal domain trusts the DMZ domain then you are slightly less secure.  I assume the DMZ domain will not be accessible directly from the outside world?  If so you should be OK.  I would run the security configuration wizard on the DMZ domain controller to ensure it is locked down to the bare bones, also ensure it is running no unneeded services and is fully patched.

Rename all built-in user accounts on the DMZ domain and use complex passwords across the board.

Also, it goes without saying that you should limit the number of open ports between the outside world and the DMZ servers.  If you want to be paranoid you could put the DMZ DC in a seperate DMZ to the sharepoint/ISA servers and lock down the ports between them.  Finally ensure the minimum number of ports between your internal and external DC's.
0
 

Author Comment

by:attridget
ID: 21846925
The solution will be whatever makes most sense from a security standpoint.
0
 
LVL 13

Expert Comment

by:TheCapedPlodder
ID: 21847036
OK, let me put it another way.  Which domain needs to see users and groups from the other?

Does the DMZ domain need to access the users and groups of the Internal domain or vice-a-versa?

I assumed from the phrase "equires a one way trust from our internal AD to a new external AD in the DMZ" that you had already designed the solution.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:attridget
ID: 21847066
DMZ needs to see the internal AD groups.

The design has been ' floated ' around - always open to comments and suggestions.  It seems to be the standard - with that in mind am looking for pitfalls and considerations.
0
 
LVL 13

Expert Comment

by:TheCapedPlodder
ID: 21847088
I suspected you would say that as it is the more secure of the two approaches.

What other servers will exist in the DMZ domain as they will need access to the internal domain controllers?
0
 

Author Comment

by:attridget
ID: 21847511
Sharepoint MOS2007, SQL and AD/DNS.  The ISA is an applicance.
0
 
LVL 13

Accepted Solution

by:
TheCapedPlodder earned 1500 total points
ID: 21849728
OK.  So referring to my first post create the trust one way from the DMZ DC to the Internal DC that holds the PDC Emulator role.  Ensure all devices in the DMZ are fully patched and run the Security Configuration Wizard against them all to close unnecessary ports and stop unneeded services.  Also run correctly configured AV on the MOS and SQL servers.

Obviously limit the ports between the DMZ and Internal network to the required ports and hosts.

Hope this helps.

Cheers,

TCP
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question