Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 420
  • Last Modified:

Microsoft Web Server Security with Domain

Hi,

We're setting up a Server 2008R2 VM in a different subnet (Subnet A) than our Active Directory Domain subnet (Subnet B) because it will be a web server public facing the internet.

We're only opening the needed ports from the web server in Subnet A to a 2008R2 SQL server in Subnet B.

My question is, could I also open up all ports from the web server to our domain controller and add the web server to the domain or could this be out-secure? It would be nice to add it to the domain for simplicity purposes.

Asking for best practices in the above scenario. Thanks.
0
RFVDB
Asked:
RFVDB
  • 2
4 Solutions
 
btanExec ConsultantCommented:
It all boils down in what service is required from web server to AD and the required ports need to open as firewall ruleset jave them included explicitly. We should never exposed internal AD even need to you probably looking at ADAM that is application specific and not the actual enterporse identity directory.

If web server needs the kerberos delegation as it is not within the domain you will need to allow kerberos and even ldap search and call standard port. In additional also the secure version of those service too. If it is part of domain then you must ask do you need it to talks to internal dns or have dhcp or have routing access service...likely not for public facing as much as possible.

Likely there is a proxy of sort guarding the internal network or in front of web server doing nating if need to. Those in DMZ are really for service public hence the FW to guard only to allow the minimal service. Even RADIUS and NAC type server can be in DMZ but proxying traffic to internal only after successful authentication.

This msdn link on firewall may come handy.

http://support.microsoft.com/kb/179442
0
 
irweazelwallisCommented:
Don't do it is the simple answer.
The ports required for the web server to function on the domain will leave the firewall pointless, unless you accept some things not working and generating error messages.

we have DMZ's setup with AD domains in there for control and authentication for admin users to allow for group policy enforcement etc etc

any interfaces to internal systems are carefully controlled and locked down to minimal ports for application interfaces i.e. web server in DMZ to app or SQL layer in internal network runs on a single custom SQL port and thats it
0
 
Sanjay SantokiCommented:
Hello,

As far as traffic between subnets is concerned; SQL server and web service ports are only required.

I would recommend to keep web server in DMZ as a workgroup computer so that in any worst case it will not affect production directory server if it got compromised.

Regards,
Sanjay Santoki
0
 
btanExec ConsultantCommented:
To add, I suggest you check out the below

1) NIST - Guidelines on Securing Public Web Servers (handy checklist in the end) esp the below sections  wrt to the minimal and necessary service  needed and the type of FW placement deployed like single FW DMZ, two FWs DMZ (considered more secure and segmented) and Service-leg FW @ http://csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf

Section 4.1.2 Remove or Disable Unnecessary Services and Applications
Section 8. Implementing a Secure Network Infrastructure

2) Another from MS
https://social.technet.microsoft.com/wiki/contents/articles/13974.security-best-practices-to-protect-internet-facing-web-servers.aspx

1. Identify the network flow, in terms of requests: if you know the regular network flow the server is supposed to receive and send, then you can allow and check (content/requests inspection) them, while other traffic/flow would be denied by default (by Firewall). This is a network isolation measure, that will reduce the risk of a malware spread (or a successful intrusion getting deeper into the production network)

2. Make sure your DMZ has no possibility to directly access your LAN with "source to any" or "source to many"-like rule (firewall/routers rules to be double-checked).

7. Make sure that the machines within the DMZ are not joined to the regular production domain. AD isolation is at forest layer, therefore it is highly recommended not to have the production AD in DMZ. Please either use another forest, or deploy AD Lightweight Directory Services.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now