Security Basics mailing list archives
RE: DMZ and AD Authentication
From: jamesworld () intelligencia com
Date: Mon, 15 Dec 2003 20:57:01 -0600
Geoff, I second what Shawn said. If you can avoid it...don't do it. If however, you are stuck with an order from up high. Connect to the AD box thru the firewall via IPSEC.If you use NIDS, however, this will blind it to any attack's that might come thru is the web server was compromised.
I would recommend using the Cisco Security Agent (formerly Okena) on the web server.
The other thing you could do is use a Cisco ACS server to front end the AD authentication and have the web server authenticate to the ACS via RADIUS or TACACS. You will need to code the RADIUS integration (unless you can find it somewhere :-)
HTH, -James At 11:25 12/12/2003, Shawn Jackson wrote:
All you need LDAP access (TCP 389) to your Catalogue server. Even if you lock down your connection to the AD box, if someone compromises your IIS server they can gain a lot of information from your server. When we used this method with C# .Net we needed to have LDAP and Microsoft-DS (TCP 445) open to the server. Honestly, I would advise against placing a server in the DMZ that will access any part of your AD infrastructure; it's just not secure enough. If you absolutely had to authenticate with AD I'd suggest creating a simple program (Webpage (ASP, CGI, and CF) or .Net Service/Remote App that would take two parameters (Username and Password) and return a value, then just parse that value to get your logon result. Place that app on a 'non-critical' server and it will be far more secure then accessing AD directly. I can give you the code I use to access AD in C# and suggested implementation if you wish. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 -----Original Message----- From: Geoff.Shatz () pchelps com [mailto:Geoff.Shatz () pchelps com] Sent: Friday, December 12, 2003 7:33 AM To: security-basics () securityfocus com Subject: DMZ and AD Authentication We are in a situation where we are currently planning the move of our web server from an externally hosted solution to hosting the web server in house. As part of this move we will be implementing a new internal application that will run on the web server that will require authentication based on Active Directory account info. Obviously this will require that the web server has the ability to communicate with the AD domain controllers. That being the case will it still be possible to place this web server on a DMZ or will the amount of open ports required between the DMZ and LAN for the required authentication process severely mitigate the benefits of placing the server in the DMZ in the first place? Any and all suggestions and or strategies to accomplish this in the most secure fashion are welcome and appreciated. Thanks! Geoff ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- DMZ and AD Authentication Geoff.Shatz (Dec 12)
- <Possible follow-ups>
- RE: DMZ and AD Authentication Shawn Jackson (Dec 15)
- RE: DMZ and AD Authentication jamesworld (Dec 16)
- RE: DMZ and AD Authentication JM (Dec 16)
- RE: DMZ and AD Authentication jamesworld (Dec 16)
- Re: DMZ and AD Authentication Mitchell Rowton (Dec 15)
- RE: DMZ and AD Authentication Rademacher Sgt Roger P (Dec 16)
- RE: DMZ and AD Authentication Shawn Jackson (Dec 17)
- RE: DMZ and AD Authentication jamesworld (Dec 17)