Hello there!
What "best practices" / tips can you share when faced with a
requirement to place Active Directory within DMZ's?
Yes, I know we're all told this is a no-no, but I'm sure there's
some implementations where this is being done, with some
intelligence to thwart the major issues...
I would imagine suggestions would focus on trusts / replication /
OS lockdown
Any real experiences with breaches caused by AD in DMZ segments?
Yes. there are. In my case, my boss wanted centrally managed
authentications and permissions management on all our web hosting
servers ( http, databases, ftp, mail, web office). More specifically:
one administrator password needed to be valid in order to log
into any server.
I had three options:
1> telling him not to do that. didn't worked.
2> using active directory and reading some system hardening
documentation
3> finding a third party provider. First thing, AD could do all
of this. Second thing: it is tightly integrated into Windows.
Third (political) thing: I don't trust 'by default' configured MS
products but I trust them when it comes to personnalizing your
system when you know you're doing. I am talking about
disabling unknown services, setting files permissions correctly,
requiring high password complexity, setting robust audit and
monitoring structures, configuring ipsec, implementing a strong
patch management policy and simply configuring the system
to do what it should do.
I often saw people saying 'don't use AD in a DMZ!' but when
you asked them why they only could answer 'because it's not
secure!'. This is not an argument.
My 2 swiss cents ;)
.antoine
------------oOoo---Ôô----ooOo---------------------------
Antonio FONTES (well, me, actually)
http://www.nxtg.net/saphyr/ (tout et rien en français)
http://www.nxtg.net/is/ (blog - développeur web)
E-mail: prenom.nom@mondomaine.net
-------------------------------------------------------------
