Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: AD in the DMZ

from [Non Proprio] Network Security [Permanent Link]
Subject: Re: AD in the DMZ
Date: Sun, 31 Oct 2004 16:06:55 -0600 (CST) 
Wow, great minds think alike. My developers have the exact same thing in mind.

I'm torn between getting 'business done" and demanding a better form of 
identity management. The problem is that there's not time to really implement a 
full solution, so what I'm faced with is having to get customers connected in a 
world of Microsoft AD. 

Since the development team has bitten into Microsoft hook, line and sinker 
we're faced with a real business issue.

What about Microsoft's "identity management" application? Has anyone fiddled 
with this in reference to web apps?



On Oct 28, 2004 04:26 PM, Jeffrey Gorton <jpgorton@swbell.net> wrote:


I am aware of an internet-facing web application that is running on
Microsoft SharePoint and using an Active Directory forest (that resides in a
separate firewalled network segment) for user authentication.  There is also
a one-way trust relationship with the AD forest on the internal network (the
DMZ AD trusts the internal AD) so that internal users can access DMZ
resources.  There is a firewall between the two AD forests, but the LDAP and
necessary Windows ports are open.

An Internet user authenticates with a DMZ AD account.  An internal user
authenticates into the internal AD and then accesses DMZ resources (the DMZ
AD contacts the internal AD for authentication).

It seems to me that, if the SharePoint server is compromised, the attacker
will be able to enumerate users on the internal AD.  Is this so?  What are
the problems with this design?

Thanks.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  New Whitepaper - "Second-order Code Injection Attacks", WebAppSecurity [Technicalinfo.net]
Next by Date:  RE: advice needed - secure transfer of client details, Michael Silk
Previous by Thread:  New Whitepaper - "Second-order Code Injection Attacks", WebAppSecurity [Technicalinfo.net]
Next by Thread:  RE: AD in the DMZ, Harper.Matthew
Indexes:  [Date] [Thread] [Top] [All Lists]