Will two Windows domains provide better security from Internet threats?
Posted on 2009-07-16
We have an increasing number of Windows servers that can be accessed from the Internet through web front ends (for example, Student Information System, library lookup), but also on the internal network via traditional LAN methods such as file sharing and "fat" client front ends between each other and/or from user workstations. This makes them difficult to put in a DMZ or to firewall internally. External access is typically limited to ports 80 and 443, though a few have remote desktop access for vendor support (using local accounts on that server, not domain accounts). I don't know a lot about how secure these different applications are, therefore I worry about what might happen if one of these systems was compromised. If a compromised server is part of our domain with all of our other resources and users, how great is the risk to other resources on the network (shared files, active directory, etc.)? I thought about putting the servers that are accessed externally into a separate domain, so that if that domain was compromised, it wouldn't affect the domain with the users and other resources. Is this worthwhile? Is there something else I should do? This blending of the local network and Internet is making me feel insecure an unsecure.