?
Solved

DC in DMZ

Posted on 2009-04-21
6
Medium Priority
?
554 Views
Last Modified: 2013-12-23
I am setting up a new TS in a DMZ. This server will run all required TS services.
I am also considering using a web based password reset utility, so the DC will need to be writable. The DC will only be used for authenticating the TS machine; in fact, the TS and DC will be the only machines on the domain. The secure network will contain other servers and sensitive data. Placing the DC into this DMZ makes the most sense to me, but using RADIUS / LDAP to traverse the firewall might also be an option.

Should I place the DC into the DMZ, or place it in the secure zone? Is there a MS best practice document describing this setup? I haven't found one.
0
Comment
Question by:timbrigham
6 Comments
 
LVL 12

Expert Comment

by:nsx106052
ID: 24195595
Generally for security reasons you do not want a DC in a DMZ.  I would recommend against it. If I find a good article I will post it.  
0
 
LVL 12

Expert Comment

by:nsx106052
ID: 24195627
0
 
LVL 12

Accepted Solution

by:
nsx106052 earned 600 total points
ID: 24195652
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 14

Assisted Solution

by:amichaell
amichaell earned 450 total points
ID: 24195663
With 2008 Terminal Server you can utilize the Terminal Server Gateway role.  The Gateway is placed in the DMZ and is used to facilitate authentication to AD located in a secure network.  I've not used it myself (we utilize Citrix), though the article below seems to give a pretty good overview.

http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Terminal-Services-Gateway-Part1.html

If you aren't using 2008 then I'd recommend looking at another product to handle this, such as Citrix using Access Gateways or Secure Gateway.  
0
 
LVL 1

Author Comment

by:timbrigham
ID: 24196176
Thanks for your input.

The second article appears to be the closest to my situation. It reaffirms what I've already seen; "If you do need a domain controller inside the DMZ to facilitate specific services, I'd recommend creating a separate Active Directory forest within the DMZ." This is exactly what I am suggesting. In our case, we do not have a preexisting AD environment in the secure network.

My concern is the TS machine is low priority, used only for data entry to a local application. The secure network contains very sensitive information. If the DC is compromised while residing in the DMZ, the worst thing that will happen is disruption to the data entry procedure or gaining access to other people's data entry screens. If the DC is compromised on the secure network, sensitive data could be stolen. I would prefer a slightly higher risk of compromise if it guarantees the security of my high priority data.

Ideally I would like to have three zones for the hardware firewall - one for TS, one for the secure network and one for the DC. Hardware constraints make this an impossibility. I think the next best thing is to place the DC into this DMZ.

This document is one that I started with, which has been of much help.
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/c0962465-936a-4685-bee9-961ef7ffe3cc/
0
 
LVL 37

Assisted Solution

by:bbao
bbao earned 450 total points
ID: 24198245
have you ever considered using ADAM (AD Application Mode) with your TS in DMZ? in this approach, only the ADAM server needs to sit in the DMZ and sync only specific directory objects, which are required for TS, from the internal AD.

FYI

Windows Server 2003 Active Directory Application Mode
http://www.microsoft.com/windowsserver2003/adam/default.mspx

Introduction to Active Directory® to ADAM Synchronizer
http://download.microsoft.com/download/4/f/d/4fd33dff-34fb-4010-a2dd-4b730710f383/ADAM_Synchronizer.doc

hope it helps,
bbao
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question