RE: AD in the DMZ . . . OK?

["Dieter Sarrazyn" <dsr () ascure com>]

Wouldn't using LDAP be a solution here? Every AD system is in fact also
an ldap server.

If the only thing needed is authentication with userid/password, then
this is fairly simple to do. A special group could be created containing
all users that are allowed to use this type of authentication. Using a
"ldap-read" user which has only read access to this group is pretty
secure I guess.

Regards,
Dieter 

> -----Original Message-----
> From: Roger A. Grimes [mailto:roger () banneretcs com] 
> Sent: donderdag 29 juli 2004 4:51
> To: karl; security-basics () securityfocus com
> Subject: RE: AD in the DMZ . . . OK?
>
> Karl, why I can't say I'm an expert on the subject, all I can 
> say is to use caution and think about the risks that are 
> involved (which you are already doing by sending out this 
> email).  If I were to expose any AD domain to the DMZ, I 
> would take great pains to secure it using additional methods 
> (i.e. IPSec, SSL with client authentication certificates, 
> VPN, RRAS, Network Access Quarantine Control, etc.) to secure 
> and authenticate the communication channel.  For a couple of
> reasons:
>
> 1.  First AD with W2K and above, likes to use Kerberos as the 
> default user authentication protocol.  Kerberos is 
> significantly stronger than its predecessors (LM, NTLM, and 
> NTLMv2).  If users connect to your AD on the DMZ and don't 
> have a secure VPN tunnel that supports Kerberos, then they 
> will connect using one of the earlier protocols, all of which 
> have been successfully attacked using brute force methods.  
> Unless you have LM hashing turned off, I maybe able to 
> capture LM password hashes in the traffic and compromise passwords.
>
> 2.  Unless you have SID filtering turned on, it may be 
> possible for a lesser authenticated security principal 
> account (other requirements
> apply) to elevate their privileges using the SID History trick.
>
> 3.  Unless you have your anonymous enumeration permissions 
> set securely, a remote hacker may be able to enumerate your 
> AD objects.
>
> 4.  If I was a malicious hacker and I knew you were 
> authenticating your network user accounts on your DMZ, I 
> would try my best to successfully compromise your DMZ and 
> sniff traffic.
>
> This is just a few things I would worry about.  A secure 
> communication's tunnel and/or a properly designed .NET app 
> can minimize the risk.  So the real answer is that yes, 
> putting AD on the DMZ elevates your risk of compromise, but 
> that elevated risk can be minimized by taking additional 
> countermeasures.  And security risk is always just a 
> cost/benefit trade off.
>
> Roger
>
> **************************************************************
> **********
> ***
> *Roger A. Grimes, Banneret Computer Security, Computer 
> Security Consultant *CPA, CISSP, MCSE: Security 
> (NT/2000/2003/MVP), CNE (3/4), A+
> *email: roger () banneretcs com
> *cell: 757-615-3355
> *Author of Malicious Mobile Code:  Virus Protection for 
> Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode
> *Author of upcoming Honeypots for Windows (Apress)
> **************************************************************
> **********
> ****
>
> -----Original Message-----
> From: karl [mailto:opium () runningriver co uk]
> Sent: Wednesday, July 28, 2004 6:49 AM
> To: security-basics () securityfocus com
> Subject: AD in the DMZ . . . OK?
>
> Hello
>
> One of the developers I work with has come up with a wild and 
> crazy notion to write a .NET app that sits on a DMZ Web 
> server but gets user information from the Active Directory on 
> the other side of the firewall..
>
> I'm inexperienced with this, so did some research and found 
> that this kind of thing is possible (plenty of articles on 
> putting Exchange servers in the DMZ), but found myself 
> wondering if this ever happens, i.e. do people actually have 
> their networks set up this way?  Do folk expose/replicate AD 
> to the DMZ in practice?
>
> It's all very well that this stuff is possible, but if it's 
> perceived as insecure and not implementable in the real world 
> . . . . . . .
>
> Thanks for any advice . . . . .
>
> Karl
>
>
> --------------------------------------------------------------
> ----------
> ---
> Ethical Hacking at the InfoSec Institute. Mention this ad and 
> get $545 off any course! All of our class sizes are 
> guaranteed to be 10 students or less to facilitate one-on-one 
> interaction with one of our expert instructors. 
> Attend a course taught by an expert instructor with years of 
> in-the-field pen testing experience in our state of the art 
> hacking lab.
> Master the skills of an Ethical Hacker to better assess the 
> security of your organization. 
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------
> ----------
> ----
>
>
>
>
> --------------------------------------------------------------
> -------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and 
> get $545 off any course! All of our class sizes are 
> guaranteed to be 10 students or less to facilitate one-on-one 
> interaction with one of our expert instructors. 
> Attend a course taught by an expert instructor with years of 
> in-the-field pen testing experience in our state of the art 
> hacking lab. Master the skills of an Ethical Hacker to better 
> assess the security of your organization. 
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------