Solved

Will two Windows domains provide better security from Internet threats?

Posted on 2009-07-16
1
308 Views
Last Modified: 2013-11-16
We have an increasing number of Windows servers that can be accessed from the Internet through web front ends (for example, Student Information System, library lookup), but also on the internal network via traditional LAN methods such as file sharing and "fat" client front ends between each other and/or from user workstations.  This makes them difficult to put in a DMZ or to firewall internally.  External access is typically limited to ports 80 and 443, though a few have remote desktop access for vendor support (using local accounts on that server, not domain accounts).  I don't know a lot about how secure these different applications are, therefore I worry about what might happen if one of these systems was compromised.  If a compromised server is part of our domain with all of our other resources and users, how great is the risk to other resources on the network (shared files, active directory, etc.)?  I thought about putting the servers that are accessed externally into a separate domain, so that if that domain was compromised, it wouldn't affect the domain with the users and other resources.  Is this worthwhile?  Is there something else I should do?  This blending of the local network and Internet is making me feel insecure an unsecure.  
0
Comment
Question by:madbob00
1 Comment
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 24873812

It's a fact of life that if you deploy servers, they will need to be connected somehow to the Internet - or some other public network which is largely beyond your control. How many companies/schools today would operate without external email access, for example?

The risk of a machine potentially becoming compromised is largely beyond your control and down to the development integrity of the application you are exposing to the Internet. If the applications was developed well and has an active development cycle which looks for new bugs/holes and patches them, you're going to be under less threat. If you deploy an application developed 5 years ago which hasn't been updated since for the new types of threats, you may be at more risk.

Even the best software can have bugs, so unless you pull the Internet cord you can never be 100% secure. However, assuming a worst case scenario, you then need to look at how that attack could spread. You state these applications are using local accounts - is that the service the application is running under or the logon credentials for remote users? If the application services run with local credentials, that's great. It mitigates the ability for the malicious user to access other systems on the domain, since the local account is not trusted by other machines.

If the user were to gain access to the domain, they could cause damage. However, this would require a further attack against the Domain Controllers... and all this would have to be launched through a vendor-specific port and application interface - protocols which are unlikely to allow this kind of code to be launched and executed.

Splitting the domain into two would be impractical. It is difficult to maintain. You would need a trust between domains to access resources between the two - which instantly opens a communications path between the two domains (unless you use a one-way trust, but that is more complicated and requires greater planning). Furthermore, separating resources into separate domains and assuming those two domains are then secure and isolated is actually a common misconception; the security boundary for an Active Directory domain is the boundary of the FOREST (not the domain). There's some great blog posts about this around, including: http://msmvps.com/blogs/ulfbsimonweidner/archive/2007/08/25/security-boundary-forest-vs-domain.aspx. Essentially, it is possible for an attack to be launched by a user or service in one domain which exploits the other domain, elevating privileges and allowing control over the other domain.

I already mentioned a large-scale attack would be VERY difficult to pull off if you only expose limited ports to the public Internet. The Windows RPC ports are the last ports you should expose - someone COULD cause damage if they were open. However, using simply 80 and 443 - or vendor-specific ports - is highly unlikely to allow for a major attack. Furthermore, if it were, just ask why would someone do so? It is a common fact there are millions of unpatched, unprotected, unfirewalled Windows machines in homes around the world; surely it would not be much easier for an attacker to exploit these machines than it would to gain access to your firewalled, high security network?

My bottom line is it would be impractical for you to split into two separate environments. They would have to be practically isolated from each other to offer any security boundary - which then makes using these resources impossible. Provided you only expose the proper ports to the Internet, use complex passwords, only grant user accounts the required privileges and - most importantly - educate users on computer security and how to recognise a threat before it occurs, you have a good defense in place already.

-Matt
0

Featured Post

Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now