Our forums are currently in maintenance mode and the ability to post is disabled. We will be back up and running as soon as possible. Thanks for your patience!



Firewall Rules: Keep AD out of the DMZ?

By robo_dev ·
Looking at several Windows boxes in a DMZ, and the firewall rules let them talk back to DC using the usual AD ports.

If a Windows host in a DMZ were compromised, couldn't this lead to further compromise since these boxes interact with Active Directory?

Or am I just being too paranoid?

My initial thought was to have these boxes not be part of a domain of any sort and disallow any Microsoft protocols at all. My thought is that port 53 or (obviously port 80) might be attack vectors.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

well the real question is

by CG IT In reply to Firewall Rules: Keep AD o ...

why are the boxes on the DMZ talking to DCs that are not in the DMZ?

Collapse -

Ignorance, laziness, excessive trust....

by robo_dev In reply to well the real question is

It seems that some admins have some infinite faith in all things Microsoft, and 'assume' that nobody could compromise one of these hosts if they're properly patched, hardened, and monitored. ( out for those icebergs, Captain Smith)

Doing more digging, there's a technology called ADFS (Active Directory Federated Services) that's part of Win2003 R2 that (allegedly) allows more secure AD interaction without having to punch all the holes in the firewall.

Collapse -

Still wanna know why hosts in the DMZ

by CG IT In reply to Ignorance, laziness, exce ...

need to talk with DCs on the LAN.

The whole point of a DMZ is to seperate out public services from the private LAN. So why is a public server talking to a DC in the private LAN?

Collapse -

Thanks, you validate my concern.

by robo_dev In reply to Still wanna know why host ...

I believe that this is done for the convenience of the admins. They can run backup, do server monitoring, move files around more easily with active directory.

The good news is that the DMZ has lots of other features that keep things secure, but the holes punched in the firewall to let AD happen are a bad idea.

The other issue I've seen is the number of ports open between an Outlook Web Access box in the DMZ and an Exchange server inside the firewall. I think there's a bit of "lets' open ports till it works" going on.

Related Discussions

Related Forums