Solved

Will two Windows domains provide better security from Internet threats?

Posted on 2009-07-16
1
313 Views
Last Modified: 2013-11-16
We have an increasing number of Windows servers that can be accessed from the Internet through web front ends (for example, Student Information System, library lookup), but also on the internal network via traditional LAN methods such as file sharing and "fat" client front ends between each other and/or from user workstations.  This makes them difficult to put in a DMZ or to firewall internally.  External access is typically limited to ports 80 and 443, though a few have remote desktop access for vendor support (using local accounts on that server, not domain accounts).  I don't know a lot about how secure these different applications are, therefore I worry about what might happen if one of these systems was compromised.  If a compromised server is part of our domain with all of our other resources and users, how great is the risk to other resources on the network (shared files, active directory, etc.)?  I thought about putting the servers that are accessed externally into a separate domain, so that if that domain was compromised, it wouldn't affect the domain with the users and other resources.  Is this worthwhile?  Is there something else I should do?  This blending of the local network and Internet is making me feel insecure an unsecure.  
0
Comment
Question by:madbob00
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 24873812

It's a fact of life that if you deploy servers, they will need to be connected somehow to the Internet - or some other public network which is largely beyond your control. How many companies/schools today would operate without external email access, for example?

The risk of a machine potentially becoming compromised is largely beyond your control and down to the development integrity of the application you are exposing to the Internet. If the applications was developed well and has an active development cycle which looks for new bugs/holes and patches them, you're going to be under less threat. If you deploy an application developed 5 years ago which hasn't been updated since for the new types of threats, you may be at more risk.

Even the best software can have bugs, so unless you pull the Internet cord you can never be 100% secure. However, assuming a worst case scenario, you then need to look at how that attack could spread. You state these applications are using local accounts - is that the service the application is running under or the logon credentials for remote users? If the application services run with local credentials, that's great. It mitigates the ability for the malicious user to access other systems on the domain, since the local account is not trusted by other machines.

If the user were to gain access to the domain, they could cause damage. However, this would require a further attack against the Domain Controllers... and all this would have to be launched through a vendor-specific port and application interface - protocols which are unlikely to allow this kind of code to be launched and executed.

Splitting the domain into two would be impractical. It is difficult to maintain. You would need a trust between domains to access resources between the two - which instantly opens a communications path between the two domains (unless you use a one-way trust, but that is more complicated and requires greater planning). Furthermore, separating resources into separate domains and assuming those two domains are then secure and isolated is actually a common misconception; the security boundary for an Active Directory domain is the boundary of the FOREST (not the domain). There's some great blog posts about this around, including: http://msmvps.com/blogs/ulfbsimonweidner/archive/2007/08/25/security-boundary-forest-vs-domain.aspx. Essentially, it is possible for an attack to be launched by a user or service in one domain which exploits the other domain, elevating privileges and allowing control over the other domain.

I already mentioned a large-scale attack would be VERY difficult to pull off if you only expose limited ports to the public Internet. The Windows RPC ports are the last ports you should expose - someone COULD cause damage if they were open. However, using simply 80 and 443 - or vendor-specific ports - is highly unlikely to allow for a major attack. Furthermore, if it were, just ask why would someone do so? It is a common fact there are millions of unpatched, unprotected, unfirewalled Windows machines in homes around the world; surely it would not be much easier for an attacker to exploit these machines than it would to gain access to your firewalled, high security network?

My bottom line is it would be impractical for you to split into two separate environments. They would have to be practically isolated from each other to offer any security boundary - which then makes using these resources impossible. Provided you only expose the proper ports to the Internet, use complex passwords, only grant user accounts the required privileges and - most importantly - educate users on computer security and how to recognise a threat before it occurs, you have a good defense in place already.

-Matt
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Domain hosting question about hiding URL 9 54
CertificateAuthority and Firefox 4 44
Small office AntiVirus 6 37
wifi security 11 46
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Many of you may be aware of the recent Google Docs scam emails that have been floating around coming from various people that you know. Here's a guide on identifying How To Identify the Scam Email You will see an email from someone you’ve had co…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question