Will two Windows domains provide better security from Internet threats?

We have an increasing number of Windows servers that can be accessed from the Internet through web front ends (for example, Student Information System, library lookup), but also on the internal network via traditional LAN methods such as file sharing and "fat" client front ends between each other and/or from user workstations.  This makes them difficult to put in a DMZ or to firewall internally.  External access is typically limited to ports 80 and 443, though a few have remote desktop access for vendor support (using local accounts on that server, not domain accounts).  I don't know a lot about how secure these different applications are, therefore I worry about what might happen if one of these systems was compromised.  If a compromised server is part of our domain with all of our other resources and users, how great is the risk to other resources on the network (shared files, active directory, etc.)?  I thought about putting the servers that are accessed externally into a separate domain, so that if that domain was compromised, it wouldn't affect the domain with the users and other resources.  Is this worthwhile?  Is there something else I should do?  This blending of the local network and Internet is making me feel insecure an unsecure.  
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


It's a fact of life that if you deploy servers, they will need to be connected somehow to the Internet - or some other public network which is largely beyond your control. How many companies/schools today would operate without external email access, for example?

The risk of a machine potentially becoming compromised is largely beyond your control and down to the development integrity of the application you are exposing to the Internet. If the applications was developed well and has an active development cycle which looks for new bugs/holes and patches them, you're going to be under less threat. If you deploy an application developed 5 years ago which hasn't been updated since for the new types of threats, you may be at more risk.

Even the best software can have bugs, so unless you pull the Internet cord you can never be 100% secure. However, assuming a worst case scenario, you then need to look at how that attack could spread. You state these applications are using local accounts - is that the service the application is running under or the logon credentials for remote users? If the application services run with local credentials, that's great. It mitigates the ability for the malicious user to access other systems on the domain, since the local account is not trusted by other machines.

If the user were to gain access to the domain, they could cause damage. However, this would require a further attack against the Domain Controllers... and all this would have to be launched through a vendor-specific port and application interface - protocols which are unlikely to allow this kind of code to be launched and executed.

Splitting the domain into two would be impractical. It is difficult to maintain. You would need a trust between domains to access resources between the two - which instantly opens a communications path between the two domains (unless you use a one-way trust, but that is more complicated and requires greater planning). Furthermore, separating resources into separate domains and assuming those two domains are then secure and isolated is actually a common misconception; the security boundary for an Active Directory domain is the boundary of the FOREST (not the domain). There's some great blog posts about this around, including: http://msmvps.com/blogs/ulfbsimonweidner/archive/2007/08/25/security-boundary-forest-vs-domain.aspx. Essentially, it is possible for an attack to be launched by a user or service in one domain which exploits the other domain, elevating privileges and allowing control over the other domain.

I already mentioned a large-scale attack would be VERY difficult to pull off if you only expose limited ports to the public Internet. The Windows RPC ports are the last ports you should expose - someone COULD cause damage if they were open. However, using simply 80 and 443 - or vendor-specific ports - is highly unlikely to allow for a major attack. Furthermore, if it were, just ask why would someone do so? It is a common fact there are millions of unpatched, unprotected, unfirewalled Windows machines in homes around the world; surely it would not be much easier for an attacker to exploit these machines than it would to gain access to your firewalled, high security network?

My bottom line is it would be impractical for you to split into two separate environments. They would have to be practically isolated from each other to offer any security boundary - which then makes using these resources impossible. Provided you only expose the proper ports to the Internet, use complex passwords, only grant user accounts the required privileges and - most importantly - educate users on computer security and how to recognise a threat before it occurs, you have a good defense in place already.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.