Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Will two Windows domains provide better security from Internet threats?

Posted on 2009-07-16
Medium Priority
Last Modified: 2013-11-16
We have an increasing number of Windows servers that can be accessed from the Internet through web front ends (for example, Student Information System, library lookup), but also on the internal network via traditional LAN methods such as file sharing and "fat" client front ends between each other and/or from user workstations.  This makes them difficult to put in a DMZ or to firewall internally.  External access is typically limited to ports 80 and 443, though a few have remote desktop access for vendor support (using local accounts on that server, not domain accounts).  I don't know a lot about how secure these different applications are, therefore I worry about what might happen if one of these systems was compromised.  If a compromised server is part of our domain with all of our other resources and users, how great is the risk to other resources on the network (shared files, active directory, etc.)?  I thought about putting the servers that are accessed externally into a separate domain, so that if that domain was compromised, it wouldn't affect the domain with the users and other resources.  Is this worthwhile?  Is there something else I should do?  This blending of the local network and Internet is making me feel insecure an unsecure.  
Question by:madbob00
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
LVL 58

Accepted Solution

tigermatt earned 2000 total points
ID: 24873812

It's a fact of life that if you deploy servers, they will need to be connected somehow to the Internet - or some other public network which is largely beyond your control. How many companies/schools today would operate without external email access, for example?

The risk of a machine potentially becoming compromised is largely beyond your control and down to the development integrity of the application you are exposing to the Internet. If the applications was developed well and has an active development cycle which looks for new bugs/holes and patches them, you're going to be under less threat. If you deploy an application developed 5 years ago which hasn't been updated since for the new types of threats, you may be at more risk.

Even the best software can have bugs, so unless you pull the Internet cord you can never be 100% secure. However, assuming a worst case scenario, you then need to look at how that attack could spread. You state these applications are using local accounts - is that the service the application is running under or the logon credentials for remote users? If the application services run with local credentials, that's great. It mitigates the ability for the malicious user to access other systems on the domain, since the local account is not trusted by other machines.

If the user were to gain access to the domain, they could cause damage. However, this would require a further attack against the Domain Controllers... and all this would have to be launched through a vendor-specific port and application interface - protocols which are unlikely to allow this kind of code to be launched and executed.

Splitting the domain into two would be impractical. It is difficult to maintain. You would need a trust between domains to access resources between the two - which instantly opens a communications path between the two domains (unless you use a one-way trust, but that is more complicated and requires greater planning). Furthermore, separating resources into separate domains and assuming those two domains are then secure and isolated is actually a common misconception; the security boundary for an Active Directory domain is the boundary of the FOREST (not the domain). There's some great blog posts about this around, including: Essentially, it is possible for an attack to be launched by a user or service in one domain which exploits the other domain, elevating privileges and allowing control over the other domain.

I already mentioned a large-scale attack would be VERY difficult to pull off if you only expose limited ports to the public Internet. The Windows RPC ports are the last ports you should expose - someone COULD cause damage if they were open. However, using simply 80 and 443 - or vendor-specific ports - is highly unlikely to allow for a major attack. Furthermore, if it were, just ask why would someone do so? It is a common fact there are millions of unpatched, unprotected, unfirewalled Windows machines in homes around the world; surely it would not be much easier for an attacker to exploit these machines than it would to gain access to your firewalled, high security network?

My bottom line is it would be impractical for you to split into two separate environments. They would have to be practically isolated from each other to offer any security boundary - which then makes using these resources impossible. Provided you only expose the proper ports to the Internet, use complex passwords, only grant user accounts the required privileges and - most importantly - educate users on computer security and how to recognise a threat before it occurs, you have a good defense in place already.


Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question