DC in DMZ
I am setting up a new TS in a DMZ. This server will run all required TS services.
I am also considering using a web based password reset utility, so the DC will need to be writable. The DC will only be used for authenticating the TS machine; in fact, the TS and DC will be the only machines on the domain. The secure network will contain other servers and sensitive data. Placing the DC into this DMZ makes the most sense to me, but using RADIUS / LDAP to traverse the firewall might also be an option.
Should I place the DC into the DMZ, or place it in the secure zone? Is there a MS best practice document describing this setup? I haven't found one.
I am also considering using a web based password reset utility, so the DC will need to be writable. The DC will only be used for authenticating the TS machine; in fact, the TS and DC will be the only machines on the domain. The secure network will contain other servers and sensitive data. Placing the DC into this DMZ makes the most sense to me, but using RADIUS / LDAP to traverse the firewall might also be an option.
Should I place the DC into the DMZ, or place it in the secure zone? Is there a MS best practice document describing this setup? I haven't found one.
nsx106052
Generally for security reasons you do not want a DC in a DMZ. I would recommend against it. If I find a good article I will post it.
This post should give you a better idea:
https://www.experts-exchange.com/questions/24091623/Move-domain-controllers-into-dmz.html
https://www.experts-exchange.com/questions/24091623/Move-domain-controllers-into-dmz.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your input.
The second article appears to be the closest to my situation. It reaffirms what I've already seen; "If you do need a domain controller inside the DMZ to facilitate specific services, I'd recommend creating a separate Active Directory forest within the DMZ." This is exactly what I am suggesting. In our case, we do not have a preexisting AD environment in the secure network.
My concern is the TS machine is low priority, used only for data entry to a local application. The secure network contains very sensitive information. If the DC is compromised while residing in the DMZ, the worst thing that will happen is disruption to the data entry procedure or gaining access to other people's data entry screens. If the DC is compromised on the secure network, sensitive data could be stolen. I would prefer a slightly higher risk of compromise if it guarantees the security of my high priority data.
Ideally I would like to have three zones for the hardware firewall - one for TS, one for the secure network and one for the DC. Hardware constraints make this an impossibility. I think the next best thing is to place the DC into this DMZ.
This document is one that I started with, which has been of much help.
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/c0962465-936a-4685-bee9-961ef7ffe3cc/
The second article appears to be the closest to my situation. It reaffirms what I've already seen; "If you do need a domain controller inside the DMZ to facilitate specific services, I'd recommend creating a separate Active Directory forest within the DMZ." This is exactly what I am suggesting. In our case, we do not have a preexisting AD environment in the secure network.
My concern is the TS machine is low priority, used only for data entry to a local application. The secure network contains very sensitive information. If the DC is compromised while residing in the DMZ, the worst thing that will happen is disruption to the data entry procedure or gaining access to other people's data entry screens. If the DC is compromised on the secure network, sensitive data could be stolen. I would prefer a slightly higher risk of compromise if it guarantees the security of my high priority data.
Ideally I would like to have three zones for the hardware firewall - one for TS, one for the secure network and one for the DC. Hardware constraints make this an impossibility. I think the next best thing is to place the DC into this DMZ.
This document is one that I started with, which has been of much help.
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/c0962465-936a-4685-bee9-961ef7ffe3cc/
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.