Solved

One way trust

Posted on 2008-06-23
7
839 Views
Last Modified: 2011-04-14
We are currently setting up an external sharepoint solution which requires a one way trust from our internal AD to a new external AD in the DMZ.  

We are aware of the ports needed to facilitate this ( as documented by MSFT ) but want to know what are the inherent security risks we are introducing by doing this.  

We are using ISA server to proxy the external user requests.
0
Comment
Question by:attridget
  • 4
  • 3
7 Comments
 
LVL 13

Expert Comment

by:TheCapedPlodder
ID: 21846762
Which direction is the trust going to be?

If the DMZ domain trusts the Internal domain then that's fine.

If the Internal domain trusts the DMZ domain then you are slightly less secure.  I assume the DMZ domain will not be accessible directly from the outside world?  If so you should be OK.  I would run the security configuration wizard on the DMZ domain controller to ensure it is locked down to the bare bones, also ensure it is running no unneeded services and is fully patched.

Rename all built-in user accounts on the DMZ domain and use complex passwords across the board.

Also, it goes without saying that you should limit the number of open ports between the outside world and the DMZ servers.  If you want to be paranoid you could put the DMZ DC in a seperate DMZ to the sharepoint/ISA servers and lock down the ports between them.  Finally ensure the minimum number of ports between your internal and external DC's.
0
 

Author Comment

by:attridget
ID: 21846925
The solution will be whatever makes most sense from a security standpoint.
0
 
LVL 13

Expert Comment

by:TheCapedPlodder
ID: 21847036
OK, let me put it another way.  Which domain needs to see users and groups from the other?

Does the DMZ domain need to access the users and groups of the Internal domain or vice-a-versa?

I assumed from the phrase "equires a one way trust from our internal AD to a new external AD in the DMZ" that you had already designed the solution.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:attridget
ID: 21847066
DMZ needs to see the internal AD groups.

The design has been ' floated ' around - always open to comments and suggestions.  It seems to be the standard - with that in mind am looking for pitfalls and considerations.
0
 
LVL 13

Expert Comment

by:TheCapedPlodder
ID: 21847088
I suspected you would say that as it is the more secure of the two approaches.

What other servers will exist in the DMZ domain as they will need access to the internal domain controllers?
0
 

Author Comment

by:attridget
ID: 21847511
Sharepoint MOS2007, SQL and AD/DNS.  The ISA is an applicance.
0
 
LVL 13

Accepted Solution

by:
TheCapedPlodder earned 500 total points
ID: 21849728
OK.  So referring to my first post create the trust one way from the DMZ DC to the Internal DC that holds the PDC Emulator role.  Ensure all devices in the DMZ are fully patched and run the Security Configuration Wizard against them all to close unnecessary ports and stop unneeded services.  Also run correctly configured AV on the MOS and SQL servers.

Obviously limit the ports between the DMZ and Internal network to the required ports and hosts.

Hope this helps.

Cheers,

TCP
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now