artsandtech
asked on
What is the best way to lock-down Windows 2008 R2 Active Directory domains with two-way transitive trusts?
Here's the scenario I am working with and would welcome thoughts from the experts here on best way to address it:
Requirement:
Secure environment from external and internal threats by reducing attack surface.
Environment:
Single forest with two domains: production and DMZ. Production and DMZ both have a two-way trust established with selective authentication (read and authenticate). An application layer next-gen firewall (Palo Alto) is sitting between the two environments.
DMZ domain has one-way trust enabled with selective authentication and is the trusting domain for the external third-party domain. this is being used to allow access to external parties to view relevant information available in the dmz domain.
Operational requirements:
AD LDS is utilized to synchronize an in-house developed application data across Production and DMZ domain and as a result a number of ports are open between the two domains. Separate LDS instances cannot be maintained for the two environments.
Additional info:
- The environment is well patched but occasionally the patch cycle is missed leaving the environment exposed.
- Link between dmz and external domain is via a private leased line (HSDL). Internet connectivity is available within the dmz domain but not in the production domain.
Question: How do we lockdown the environment without impacting operations?
Requirement:
Secure environment from external and internal threats by reducing attack surface.
Environment:
Single forest with two domains: production and DMZ. Production and DMZ both have a two-way trust established with selective authentication (read and authenticate). An application layer next-gen firewall (Palo Alto) is sitting between the two environments.
DMZ domain has one-way trust enabled with selective authentication and is the trusting domain for the external third-party domain. this is being used to allow access to external parties to view relevant information available in the dmz domain.
Operational requirements:
AD LDS is utilized to synchronize an in-house developed application data across Production and DMZ domain and as a result a number of ports are open between the two domains. Separate LDS instances cannot be maintained for the two environments.
Additional info:
- The environment is well patched but occasionally the patch cycle is missed leaving the environment exposed.
- Link between dmz and external domain is via a private leased line (HSDL). Internet connectivity is available within the dmz domain but not in the production domain.
Question: How do we lockdown the environment without impacting operations?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
aDFS is the best solution and note that this is how cloud apps are deployed on hosted services. This would be no different.
ASKER
thanks all but considering I am opening ports for LDS traffic between the two domains, is there something else that can be done to further reduce this exposure apart from the obvious firewall filters ?
According to my knowledge firewall filters are sufficient and you can't do more than this
You may follow MS best practices to harden ADLDS servers but same time you need to ensure that your application will work correctly
Hardening involves
disabling non essential services
Renaming local administrator account
Disabling guest account
Installing appropriate MS security updates and service packs
Installing appropriate Anti virus softwares with proper exceptions
You will get standard server lockdown documentation \ links on internet
Mahesh.
You may follow MS best practices to harden ADLDS servers but same time you need to ensure that your application will work correctly
Hardening involves
disabling non essential services
Renaming local administrator account
Disabling guest account
Installing appropriate MS security updates and service packs
Installing appropriate Anti virus softwares with proper exceptions
You will get standard server lockdown documentation \ links on internet
Mahesh.
You can implement IPsec and encrypt the traffic between your domains. That way the only traffic going through the firewall is encrypted traffic and you only need to allow the IPsec ports.
ASKER
Ipsec is an interesting idea, but what about overheads? Will it impact my AC-LDS traffic? How do Ipsec connections get setup for LDS replication? All to all across domains?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks both Mahesh and Justin. I have to do some more research and testing before taking any actions.
http://blogs.technet.com/b/seanearp/archive/2009/04/28/active-directory-in-the-dmz.aspx