General discussion


DC and CG in the DMZ of the network


I just started working for a company.
I am finding out that they have 3 DC in the DMZ (firewall is Cisco PIX)
2 of them are NS servers that handle our external records to the domain (mx records, A record, www record, etc). The other one is unluckily an exchange 2003 (not good thing to put DC in exchange), this one is also a GC, the only one in the DMZ.
From my 9 years of experience is the first time I see DC in the DMZ or Publics IP, if someone is able to hack into exchange or DNS I guess they will have access to the AD too. How much should I worry about this? Is this a huge security whole? is this something common although I haven?t seen it before?

Thanks in advance


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to DC and CG in the DMZ of t ...

well depends if in fact the name servers are Domain Controllers. DNS servers that are authoritative name servers for the FQDN are often put in the DMZ. They only provide IP to name resolution for the FQDN. If those servers have the necessary security precautions in place, I wouldn't worry to much provided that the company network isn't also the FQDN.

Exchange? If it is a DC for the company domain with the GC role AND Exchange I'd say its a big security risk. If it's just a Server with Exchange running, I'd see if it's used as a POP3 server or a front end Exchange server. Its not unheard of sticking a POP3 server or front end Exchange SMTP server behind a perimeter firewall but in front of the internal firewall in a DMZ zone. This allows for spam filtering hardware devices to be in the mix [before the company network but behind a perimeter firewall].

Collapse -

by REZUMA In reply to DC and CG in the DMZ of t ...

The 2 DNS server are domain controller, their only goal is to do name resolution.

Collapse -

by CG IT In reply to DC and CG in the DMZ of t ...

DNS servers don't need to be domain controllers if all they are doing is being authoritative name servers for the FQDN.

A Domain Controller is for Directory Services and Windows Active Directory requires DNS to function properly.

Collapse -

by CG IT In reply to

no one in their right mind would put Active Directory domain controllers for a private network [the real McCoy] in the DMZ zone. Not unless the guys run a clustered ISA 2004 servers or something alike it.

Collapse -

by curlergirl In reply to DC and CG in the DMZ of t ...

If the servers actually have public IP addresses (not behind a NAT router), then it is a HUGE security hole. Correcting the situation with the DNS servers would be easy, if you have other DCs in your organization (presumably on the private network, not in the DMZ). You could simply demote your two DNS servers to member servers, and that would at least make things more secure if not completely remedy the situation. As long as they are still domain members, you have some exposure, but it's a lot better. The Exchange server, however, is a problem, because you can't demote a DC that has Exchange on it without corrupting your Exchange installation. Maybe you could get them to simply move this server onto the private network instead of having it in the DMZ? I can't think of any reason it really has to be in the DMZ, even if its a front-end server.

Hope this helps!

Related Discussions

Related Forums