-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Have you looked into using securid or similar token based
authentication? If you already have an ace server, it is a great way
to protect the accounts on your DMZ hosts.
dmz
sven.de.jonghe@kindengezin.be wrote:
|
| Hi,
|
| We have a bunch of admins that need to administer servers in the
| DMZ using Terminal Services. Up till now, they are all logging in
| using the same administrator account on the server. I would prefer
| having them log in using their domain account but obviously, the
| DMZ servers are not domain members. What would be the most secure
| way to set up authentication in the DMZ? Should I create a new
| domain in the DMZ and make all servers member of this new domain
| and provide a one way trust to our LAN Domain? Would it be good to
| have both DC's communicate via IPSEC? I don't want any replication
| of LAN accounts to the DMZ. I also don't need authentication
| between servers in the DMZ or webusers logging in a website. I just
| need admins logging on remotely via TS to be authenticated by our
| LAN DC. Is all this a good idea? What are the possible threats
| involved?
|
| thanx
|
|
|
- --
/----------------------------------------------------------\
~ David M. Zendzian * dmz@dmzs.com
~ D3FF FD6F 9DB6 C74B E14A 0D19 9730 1513 6B59 B9BD
~ (415) 867-7812 - phone (510) 549-9187 - fax
~ -------------
~ Imagination is greater than knowledge * Albert Einstein
~ Every day is a good day, whether you like it or not! * DMZ
\----------------------------------------------------------/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCG252lzAVE2tZub0RAi7JAKCQHDsQzpgAmjrHNoVNnDe1JPkfHACgz1xG
4o1OlaY8EL/EDYRDUgdeE+I=
=Xjhg
-----END PGP SIGNATURE-----
