What is the best way to lock-down Windows 2008 R2 Active Directory domains with two-way transitive trusts?
Posted on 2014-03-29
Here's the scenario I am working with and would welcome thoughts from the experts here on best way to address it:
Secure environment from external and internal threats by reducing attack surface.
Single forest with two domains: production and DMZ. Production and DMZ both have a two-way trust established with selective authentication (read and authenticate). An application layer next-gen firewall (Palo Alto) is sitting between the two environments.
DMZ domain has one-way trust enabled with selective authentication and is the trusting domain for the external third-party domain. this is being used to allow access to external parties to view relevant information available in the dmz domain.
AD LDS is utilized to synchronize an in-house developed application data across Production and DMZ domain and as a result a number of ports are open between the two domains. Separate LDS instances cannot be maintained for the two environments.
- The environment is well patched but occasionally the patch cycle is missed leaving the environment exposed.
- Link between dmz and external domain is via a private leased line (HSDL). Internet connectivity is available within the dmz domain but not in the production domain.
Question: How do we lockdown the environment without impacting operations?