Publishing servers best practice

I would like to know the security best practices for publishing servers behind Firewalls.
is it recommended for the servers not to be domain members?
is it recommended to have the server installed at the a DMZ zone to be isolated from the internal network, or you can just control access through a server farm firewall?
more security recommendations will be appreciated..

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
It all depends.  As an example, if you want to allow external users access to your SharePoint then the server will be part of the domain and it will be on the business network behind the firewall (you would open on SSL port).  If you really want to secure in this example then you could install something like a UAG server which will proxy the connections (your users will only connect to the UAG which will make the connection to SharePoint on your behalf).

If you are implementing a public FTP server which does not need domain connectivity then the server should reside in the DMZ.

My recommendation to you would be to implement something like UAG or Citrix NetScaler in the DMZ which will connect to your servers in the inside network.  This way, you could control via ports, application, etc. and would be very elegant solution.
Centamin-SGMAuthor Commented:
Thanks Mohammed for your explanation I agree with what you suggested, but what about the recommendation for the listed questions above?

Best practices are constantly evolving, and it's difficult to say "do this" without understanding all of the requirements.

If you have a large number of Windows systems that need to be exposed to the Internet, then it may be best to have them as part of the domain in order to facilitate management, patching, policies, etc.  Personally, I'd suggest making them part of a subdomain.

is it recommended to have the server installed at the a DMZ zone to be isolated from the internal network, or you can just control access through a server farm firewall?
That's a definite yes.  In fact, many enterprises are moving to a "no trusted network" configuration, where traffic is highly regulated, even within the core of the network.  This prevents "candy security" where you have a hard, crunchy shell and a soft chewy center.

more security recommendations will be appreciated..
IDS/IPS is highly recommended.  Make sure you inspect the traffic after it is decrypted, and before it is encrypted.

Patch management is extremely important, including DMZ servers, internal servers, and workstations.

You should investigate private VLANs.  A private VLAN isolates the traffic so that a VLAN member can only see the default gateway.  This can prevent both reconnaissance and peer-to-peer threats.

Vulnerability scans are important.  They can provide validation that you're doing things right, or warnings when you're doing things wrong.

Make sure you are logging everything you need to.  And that the logs are placed somewhere where they cannot be tampered with.

Make sure your users are not running as privileged users!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
I will write you a proper response later on today.
Centamin-SGMAuthor Commented:
Thanks asavener good comments and great suggestions.
will be accepted as a solution.
Centamin-SGMAuthor Commented:
thanks Mohammed, waiting your response.
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
It is always recommended to segregate different networks via firewalls and only allow what is required explicitly.  In an example of manufacturing plant, business network will be segregated in a separate VLAN (i.e VLAN100), production DCS systems in VLAN200, PLC networks in VLAN300, DMZ in VLAN400, management network for all communication devices regardless of where they are in VLAN500, voice communication in VLAN600, virtualization features such as vMotion/LiveMigration in a separate VLAN, etc.  As some production data needs to be available to business users, firewall rule could be created to allow transfer of data from a data historian to a server in business network, same for remote access.

Now comes the DMZ, you separate your publicly available servers by putting them in DMZ but then the problem comes in as to how they communicate with internal network.  For applications such as Exchange, etc. ISA, Citrix NetScalar, UAG, etc. must be used to allow access and these application firewalls allow that.

Typically you should have all connections from the Internet terminate at a firewall which should access services/servers in DMZ which then separated from the business network and only selected applications/services/ports should be allowed.
Centamin-SGMAuthor Commented:
Thanks Mohammed.

great answers.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.