Security Basics mailing list archives

RE: DMZ and AD Authentication

From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Fri, 12 Dec 2003 09:25:30 -0800


        All you need LDAP access (TCP 389) to your Catalogue server.
Even if you lock down your connection to the AD box, if someone
compromises your IIS server they can gain a lot of information from your
server. When we used this method with C# .Net we needed to have LDAP and
Microsoft-DS (TCP 445) open to the server.

        Honestly, I would advise against placing a server in the DMZ
that will access any part of your AD infrastructure; it's just not
secure enough. If you absolutely had to authenticate with AD I'd suggest
creating a simple program (Webpage (ASP, CGI, and CF) or .Net
Service/Remote App that would take two parameters (Username and
Password) and return a value, then just parse that value to get your
logon result. Place that app on a 'non-critical' server and it will be
far more secure then accessing AD directly.

        I can give you the code I use to access AD in C# and suggested
implementation if you wish.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
 
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

-----Original Message-----
From: Geoff.Shatz () pchelps com [mailto:Geoff.Shatz () pchelps com] 
Sent: Friday, December 12, 2003 7:33 AM
To: security-basics () securityfocus com
Subject: DMZ and AD Authentication

We are in a situation where we are currently planning the move of our
web server from an externally hosted solution to hosting the web server
in house. As part of this move we will be implementing a new internal
application that will run on the web server that will require
authentication based on Active Directory account info. Obviously this
will require that the web server has the ability to communicate with the
AD domain controllers. That being the case will it still be possible to
place this web server on a DMZ or will the amount of open ports required
between the DMZ and LAN for the required authentication process severely
mitigate the benefits of placing the server in the DMZ in the first
place? Any and all suggestions and or strategies to accomplish this in
the most secure fashion are welcome and appreciated. Thanks!

Geoff

------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

DMZ and AD Authentication Geoff.Shatz (Dec 12)
- <Possible follow-ups>
- RE: DMZ and AD Authentication Shawn Jackson (Dec 15)
  - RE: DMZ and AD Authentication jamesworld (Dec 16)
    - RE: DMZ and AD Authentication JM (Dec 16)
- Re: DMZ and AD Authentication Mitchell Rowton (Dec 15)
- RE: DMZ and AD Authentication Rademacher Sgt Roger P (Dec 16)
- RE: DMZ and AD Authentication Shawn Jackson (Dec 17)
- RE: DMZ and AD Authentication jamesworld (Dec 17)