Will two Windows domains provide better security from Internet threats?

Posted on 2009-07-16
Last Modified: 2013-11-16
We have an increasing number of Windows servers that can be accessed from the Internet through web front ends (for example, Student Information System, library lookup), but also on the internal network via traditional LAN methods such as file sharing and "fat" client front ends between each other and/or from user workstations.  This makes them difficult to put in a DMZ or to firewall internally.  External access is typically limited to ports 80 and 443, though a few have remote desktop access for vendor support (using local accounts on that server, not domain accounts).  I don't know a lot about how secure these different applications are, therefore I worry about what might happen if one of these systems was compromised.  If a compromised server is part of our domain with all of our other resources and users, how great is the risk to other resources on the network (shared files, active directory, etc.)?  I thought about putting the servers that are accessed externally into a separate domain, so that if that domain was compromised, it wouldn't affect the domain with the users and other resources.  Is this worthwhile?  Is there something else I should do?  This blending of the local network and Internet is making me feel insecure an unsecure.  
Question by:madbob00
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
LVL 58

Accepted Solution

tigermatt earned 500 total points
ID: 24873812

It's a fact of life that if you deploy servers, they will need to be connected somehow to the Internet - or some other public network which is largely beyond your control. How many companies/schools today would operate without external email access, for example?

The risk of a machine potentially becoming compromised is largely beyond your control and down to the development integrity of the application you are exposing to the Internet. If the applications was developed well and has an active development cycle which looks for new bugs/holes and patches them, you're going to be under less threat. If you deploy an application developed 5 years ago which hasn't been updated since for the new types of threats, you may be at more risk.

Even the best software can have bugs, so unless you pull the Internet cord you can never be 100% secure. However, assuming a worst case scenario, you then need to look at how that attack could spread. You state these applications are using local accounts - is that the service the application is running under or the logon credentials for remote users? If the application services run with local credentials, that's great. It mitigates the ability for the malicious user to access other systems on the domain, since the local account is not trusted by other machines.

If the user were to gain access to the domain, they could cause damage. However, this would require a further attack against the Domain Controllers... and all this would have to be launched through a vendor-specific port and application interface - protocols which are unlikely to allow this kind of code to be launched and executed.

Splitting the domain into two would be impractical. It is difficult to maintain. You would need a trust between domains to access resources between the two - which instantly opens a communications path between the two domains (unless you use a one-way trust, but that is more complicated and requires greater planning). Furthermore, separating resources into separate domains and assuming those two domains are then secure and isolated is actually a common misconception; the security boundary for an Active Directory domain is the boundary of the FOREST (not the domain). There's some great blog posts about this around, including: Essentially, it is possible for an attack to be launched by a user or service in one domain which exploits the other domain, elevating privileges and allowing control over the other domain.

I already mentioned a large-scale attack would be VERY difficult to pull off if you only expose limited ports to the public Internet. The Windows RPC ports are the last ports you should expose - someone COULD cause damage if they were open. However, using simply 80 and 443 - or vendor-specific ports - is highly unlikely to allow for a major attack. Furthermore, if it were, just ask why would someone do so? It is a common fact there are millions of unpatched, unprotected, unfirewalled Windows machines in homes around the world; surely it would not be much easier for an attacker to exploit these machines than it would to gain access to your firewalled, high security network?

My bottom line is it would be impractical for you to split into two separate environments. They would have to be practically isolated from each other to offer any security boundary - which then makes using these resources impossible. Provided you only expose the proper ports to the Internet, use complex passwords, only grant user accounts the required privileges and - most importantly - educate users on computer security and how to recognise a threat before it occurs, you have a good defense in place already.


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question