[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 793
  • Last Modified:

ACL that permit only authentication in domain

I have a webserver on DMZ, and this webserver needs to authenticate on ActiveDirectory server (on my backoffice).

What ports/protocols I need to to ONLY this authorization? I need to restrict all other access (file sharing, etc) from Webserver to AD.

Thank you,

Felipe.
0
FelipeSchneider
Asked:
FelipeSchneider
  • 5
  • 5
  • 2
  • +2
3 Solutions
 
shairozanCommented:
Hey there,

Check this link

http://technet.microsoft.com/en-us/library/bb125069(EXCHG.65).aspx

And see if the section under active directory is helpful :) Basically, it's ports:

389/TCP
      

LDAP to Directory Service

389/UDP
      

 

3268/TCP
      

LDAP to Global Catalog Server

88/TCP
      

Kerberos Authentication

88/UDP
0
 
shairozanCommented:
I'm not sure about the PIX, but on the ASA, these are abbreviated as service set domain, ie

access-list ad_auth extended permit int dmz int inside eq domain
0
 
GiladnCommented:
Port 389  should be enough for a query for auth.

Gilad
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
rochey2009Commented:
Hi,

Have a look at the following article. It discusses some of the security implications of what your trying to do.

http://articles.techrepublic.com.com/5100-22_11-5238083.html

0
 
GiladnCommented:
not if the port is blocked from the wan side, he wants to use from dmz to internal network.

a lot of systems use that method, anti-spam relays  also do that query  remote AD using those ports - just to check if the recipient matches a user in AD.

0
 
FelipeSchneiderAuthor Commented:
Strange, I´ve open the following ports:

KerberosTCP 88, UDP 88
DNSTCP 53, UDP 53
LDAPTCP 389, UDP 389
LDAP over SSLTCP 636
SMB over IPTCP 445, UDP 445

But the computer dont enter in the domain correctly. I have a shared folder on the webserver, that I access from my back office DFS, and if I dont create a rule ANY - ANY  on DMZ interface, the webserver apparently dont login on the domain, and the files arent visible from the backoffice.

Any suggestion?
0
 
rochey2009Commented:
There is security issue if the web server gets compromised.
0
 
FelipeSchneiderAuthor Commented:
"query  remote AD using those ports - just to check if the recipient matches a user in AD."

Yes, its exactly what I need. I need only the webserver join the domain, but all others functions/ports must be disabled.

The access will be enabled is from backoffice TO dmz.
0
 
GiladnCommented:
Rochey2009 is right, don't do it, you will be exposed to XSS and many kind of Web attacks and web API attacks easily.
what is the point to put a computer in your DMZ and logging it to the domain? the services and process will run on the user's permissions.

0
 
FelipeSchneiderAuthor Commented:
I need to access a shared folder in the DMZ from my backoffice machines. And I need to access this folder with the user permissions on AD.

Any idea?
0
 
GiladnCommented:
yes.
share another folder on an internal server and replicate\sync them.
0
 
FelipeSchneiderAuthor Commented:
I did it in the past, but the problem is that I need the publication of archives is online.

Another suggestion would be to leave the standalone webserver, and allow it to access the folders on the file server. For that I would release only the ports to the files share from WEBSERVER to FILESERVER.

What do you think?
0
 
ARK-DSCommented:
HI,
I dont see the port 123 open. This is for windows time (NTP). If the server is not in sync in terms of time, it will not authenticate as kerberos depends on time.

You can also take a Netmon Trace to see what is happening... .

I woudl also suggest to open 3268 for GC.

Regards,
Arun.
0
 
FelipeSchneiderAuthor Commented:
And did the following: hosted the files on the fileserver, I created a share for the folder, and created a rule that allows access to tcp / netbios-ssn and udp / netbios-ns of the DMZ to the fileserver.

With that kept the webserver standalone (outside the domain), but accessing the folder that I need.

I think it was a good option.
0
 
GiladnCommented:
one of the better options in your situation.

Good luck
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 5
  • 5
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now