Solved

Microsoft Web Server Security with Domain

Posted on 2013-10-22
4
401 Views
Last Modified: 2013-11-13
Hi,

We're setting up a Server 2008R2 VM in a different subnet (Subnet A) than our Active Directory Domain subnet (Subnet B) because it will be a web server public facing the internet.

We're only opening the needed ports from the web server in Subnet A to a 2008R2 SQL server in Subnet B.

My question is, could I also open up all ports from the web server to our domain controller and add the web server to the domain or could this be out-secure? It would be nice to add it to the domain for simplicity purposes.

Asking for best practices in the above scenario. Thanks.
0
Comment
Question by:RFVDB
  • 2
4 Comments
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
Comment Utility
It all boils down in what service is required from web server to AD and the required ports need to open as firewall ruleset jave them included explicitly. We should never exposed internal AD even need to you probably looking at ADAM that is application specific and not the actual enterporse identity directory.

If web server needs the kerberos delegation as it is not within the domain you will need to allow kerberos and even ldap search and call standard port. In additional also the secure version of those service too. If it is part of domain then you must ask do you need it to talks to internal dns or have dhcp or have routing access service...likely not for public facing as much as possible.

Likely there is a proxy of sort guarding the internal network or in front of web server doing nating if need to. Those in DMZ are really for service public hence the FW to guard only to allow the minimal service. Even RADIUS and NAC type server can be in DMZ but proxying traffic to internal only after successful authentication.

This msdn link on firewall may come handy.

http://support.microsoft.com/kb/179442
0
 
LVL 18

Assisted Solution

by:irweazelwallis
irweazelwallis earned 125 total points
Comment Utility
Don't do it is the simple answer.
The ports required for the web server to function on the domain will leave the firewall pointless, unless you accept some things not working and generating error messages.

we have DMZ's setup with AD domains in there for control and authentication for admin users to allow for group policy enforcement etc etc

any interfaces to internal systems are carefully controlled and locked down to minimal ports for application interfaces i.e. web server in DMZ to app or SQL layer in internal network runs on a single custom SQL port and thats it
0
 
LVL 11

Assisted Solution

by:Sanjay Santoki
Sanjay Santoki earned 125 total points
Comment Utility
Hello,

As far as traffic between subnets is concerned; SQL server and web service ports are only required.

I would recommend to keep web server in DMZ as a workgroup computer so that in any worst case it will not affect production directory server if it got compromised.

Regards,
Sanjay Santoki
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
Comment Utility
To add, I suggest you check out the below

1) NIST - Guidelines on Securing Public Web Servers (handy checklist in the end) esp the below sections  wrt to the minimal and necessary service  needed and the type of FW placement deployed like single FW DMZ, two FWs DMZ (considered more secure and segmented) and Service-leg FW @ http://csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf

Section 4.1.2 Remove or Disable Unnecessary Services and Applications
Section 8. Implementing a Secure Network Infrastructure

2) Another from MS
https://social.technet.microsoft.com/wiki/contents/articles/13974.security-best-practices-to-protect-internet-facing-web-servers.aspx

1. Identify the network flow, in terms of requests: if you know the regular network flow the server is supposed to receive and send, then you can allow and check (content/requests inspection) them, while other traffic/flow would be denied by default (by Firewall). This is a network isolation measure, that will reduce the risk of a malware spread (or a successful intrusion getting deeper into the production network)

2. Make sure your DMZ has no possibility to directly access your LAN with "source to any" or "source to many"-like rule (firewall/routers rules to be double-checked).

7. Make sure that the machines within the DMZ are not joined to the regular production domain. AD isolation is at forest layer, therefore it is highly recommended not to have the production AD in DMZ. Please either use another forest, or deploy AD Lightweight Directory Services.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now