Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

What is the best way to lock-down Windows 2008 R2 Active Directory domains with two-way transitive trusts?

Posted on 2014-03-29
9
Medium Priority
?
1,016 Views
Last Modified: 2014-04-09
Here's the scenario I am working with and would welcome thoughts from the experts here on best way to address it:

Requirement:
Secure environment from external and internal threats by reducing attack surface.

Environment:
Single forest with two domains: production and DMZ. Production and DMZ both have a two-way trust established with selective authentication (read and authenticate). An application layer next-gen firewall (Palo Alto) is sitting between the two environments.

DMZ domain has one-way trust enabled with selective authentication and is the trusting domain for the external third-party domain. this is being used to allow access to external parties to view relevant information available in the dmz domain.


Operational requirements:
AD LDS is utilized to synchronize an in-house developed application data across Production and DMZ domain and as a result a number of ports are open between the two domains. Separate LDS instances cannot be maintained for the two environments.

Additional info:
 - The environment is well patched but occasionally the patch cycle is missed leaving the environment exposed.

- Link between dmz and external domain is via a private leased line (HSDL). Internet connectivity is available within the dmz domain but not in the production domain.


 Question: How do we lockdown the environment without impacting operations?
0
Comment
Question by:artsandtech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 7

Expert Comment

by:Delete
ID: 39964553
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 750 total points
ID: 39964710
From management point you have to manage two AD domains

From security stand point what you have done is perfect according to my opinion if below is true.
I hope there is no trust exists between production domain and DMZ domain, or else it will like partially defeat purpose of having separate DMZ domain, because in that case it will not remain totally isolated environment
AD LDS is different from active directory and you can have AD LDS ports opened between production instance and DMZ instance, anyhow you cannot skip that requirement since same application \ database is used in production and DMZ I guess.

Now for 3rd party external domain, instead of building one way trust with selective authentication, you might consider implementing ADFS server (Federated trust) which will provide required resource access without need of domain trust
You can search ADFS infrastructure on internet
Note that both source and destination domain needs to deploy ADFS server infrastructure and you have to have certificate based protocol (SAML 2.0) supported by application for authentication (Application must be ADFS aware - can work with SAML 2.0 protocol)

Because according to me domain trust is hole in security and best suited within corporate network \ LAN only.

Mahesh.
0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 39964982
aDFS is the best solution and note that this is how cloud apps are deployed on hosted services.  This would be no different.
0
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

 

Author Comment

by:artsandtech
ID: 39974335
thanks all but considering I am opening ports for LDS traffic between the two domains,  is there something else that can be done to further reduce this exposure apart from the obvious firewall filters ?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39974353
According to my knowledge firewall filters are sufficient and you can't do more than this

You may follow MS best practices to harden ADLDS servers but same time you need to ensure that your application will work correctly

Hardening involves
disabling non essential services
Renaming local administrator account
Disabling guest account
Installing appropriate MS security updates and service packs
Installing appropriate Anti virus softwares with proper exceptions
You will get standard server lockdown documentation \ links on internet

Mahesh.
0
 
LVL 7

Expert Comment

by:Delete
ID: 39976366
You can implement IPsec and encrypt the traffic between your domains.  That way the only traffic going through the firewall is encrypted traffic and you only need to allow the IPsec ports.
0
 

Author Comment

by:artsandtech
ID: 39990226
Ipsec is an interesting idea,  but what about overheads? Will it impact my AC-LDS traffic? How do Ipsec connections get setup for LDS replication? All to all across domains?
0
 
LVL 7

Accepted Solution

by:
Delete earned 750 total points
ID: 39990320
The overhead would be placed on the terminating ends.  So if you are going from server to server then the over head would be on those nodes.  This is simply because they are doing the encryption/decryption.  It will not impact your LDS traffic, when you setup IPsec you choose the source and destination (can be single machine or full subnet) along with what ports and protocols are allowed between those hosts.  You would need to setup an IPsec rule on every machine that needs to talk to the DMZ and vice versa, but this can be done through GPO.

A few things to keep in mind with IPsec.
1. Depending on your environment it can become very complex so extensive planning needs to occur.

2. The most secure way to implement IPsec is to have the tunnel terminate at your boundary device so that you don't have an encrypted tunnel going through your firewall (you can only do this if your firewall is capable of this, but this will increase the overhead considerably).  If you do an encrypted tunnel through your firewall then you can't inspect the traffic and you would need at the very least HIPS installed on each endpoint.  

3.  If you setup your IPsec rules incorrectly, you can accidentally isolate your machines so again plan thoroughly and carefully.

Refer to these two articles for more information:
http://technet.microsoft.com/en-us/library/cc700826.aspx
http://technet.microsoft.com/en-us/library/cc700829.aspx
0
 

Author Closing Comment

by:artsandtech
ID: 39990504
thanks both Mahesh and Justin. I have to do some more research and testing before taking any actions.
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question