Security Basics mailing list archives

Re: AD in the DMZ . . . OK?

From: "Peter Van Eeckhoutte" <peter.ve () telenet be>
Date: Fri, 30 Jul 2004 19:44:42 +0200

Ldap, as Dieter mentioned, is definitely an option...
However, you may want to use S-Ldap, which will make sure the credentials
are not passed on in clear text

----- Original Message ----- 
From: "Dieter Sarrazyn" <dsr () ascure com>
To: <security-basics () securityfocus com>
Sent: Friday, July 30, 2004 7:09 AM
Subject: RE: AD in the DMZ . . . OK?

Wouldn't using LDAP be a solution here? Every AD system is in fact also
an ldap server.

If the only thing needed is authentication with userid/password, then
this is fairly simple to do. A special group could be created containing
all users that are allowed to use this type of authentication. Using a
"ldap-read" user which has only read access to this group is pretty
secure I guess.

Regards,
Dieter

-----Original Message-----
From: Roger A. Grimes [mailto:roger () banneretcs com]
Sent: donderdag 29 juli 2004 4:51
To: karl; security-basics () securityfocus com
Subject: RE: AD in the DMZ . . . OK?

Karl, why I can't say I'm an expert on the subject, all I can
say is to use caution and think about the risks that are
involved (which you are already doing by sending out this
email).  If I were to expose any AD domain to the DMZ, I
would take great pains to secure it using additional methods
(i.e. IPSec, SSL with client authentication certificates,
VPN, RRAS, Network Access Quarantine Control, etc.) to secure
and authenticate the communication channel.  For a couple of
reasons:

1.  First AD with W2K and above, likes to use Kerberos as the
default user authentication protocol.  Kerberos is
significantly stronger than its predecessors (LM, NTLM, and
NTLMv2).  If users connect to your AD on the DMZ and don't
have a secure VPN tunnel that supports Kerberos, then they
will connect using one of the earlier protocols, all of which
have been successfully attacked using brute force methods.
Unless you have LM hashing turned off, I maybe able to
capture LM password hashes in the traffic and compromise passwords.

2.  Unless you have SID filtering turned on, it may be
possible for a lesser authenticated security principal
account (other requirements
apply) to elevate their privileges using the SID History trick.

3.  Unless you have your anonymous enumeration permissions
set securely, a remote hacker may be able to enumerate your
AD objects.

4.  If I was a malicious hacker and I knew you were
authenticating your network user accounts on your DMZ, I
would try my best to successfully compromise your DMZ and
sniff traffic.

This is just a few things I would worry about.  A secure
communication's tunnel and/or a properly designed .NET app
can minimize the risk.  So the real answer is that yes,
putting AD on the DMZ elevates your risk of compromise, but
that elevated risk can be minimized by taking additional
countermeasures.  And security risk is always just a
cost/benefit trade off.

Roger

**************************************************************
**********
***
*Roger A. Grimes, Banneret Computer Security, Computer
Security Consultant *CPA, CISSP, MCSE: Security
(NT/2000/2003/MVP), CNE (3/4), A+
*email: roger () banneretcs com
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for
Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode
*Author of upcoming Honeypots for Windows (Apress)
**************************************************************
**********
****

-----Original Message-----
From: karl [mailto:opium () runningriver co uk]
Sent: Wednesday, July 28, 2004 6:49 AM
To: security-basics () securityfocus com
Subject: AD in the DMZ . . . OK?

Hello

One of the developers I work with has come up with a wild and
crazy notion to write a .NET app that sits on a DMZ Web
server but gets user information from the Active Directory on
the other side of the firewall..

I'm inexperienced with this, so did some research and found
that this kind of thing is possible (plenty of articles on
putting Exchange servers in the DMZ), but found myself
wondering if this ever happens, i.e. do people actually have
their networks set up this way?  Do folk expose/replicate AD
to the DMZ in practice?

It's all very well that this stuff is possible, but if it's
perceived as insecure and not implementable in the real world
. . . . . . .

Thanks for any advice . . . . .

Karl

--------------------------------------------------------------
----------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and
get $545 off any course! All of our class sizes are
guaranteed to be 10 students or less to facilitate one-on-one
interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of
in-the-field pen testing experience in our state of the art
hacking lab.
Master the skills of an Ethical Hacker to better assess the
security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
--------------------------------------------------------------
----------
----

--------------------------------------------------------------
-------------
Ethical Hacking at the InfoSec Institute. Mention this ad and
get $545 off any course! All of our class sizes are
guaranteed to be 10 students or less to facilitate one-on-one
interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of
in-the-field pen testing experience in our state of the art
hacking lab. Master the skills of an Ethical Hacker to better
assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
--------------------------------------------------------------
--------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

AD in the DMZ . . . OK? karl (Jul 28)
- Re: AD in the DMZ . . . OK? Pierre A. Cadieux (Jul 29)
- Re: AD in the DMZ . . . OK? Oleg K . Artemjev (Jul 29)
- Re: AD in the DMZ . . . OK? Tomasz Onyszko (Jul 29)
- <Possible follow-ups>
- RE: AD in the DMZ . . . OK? Roger A. Grimes (Jul 29)
- Re: AD in the DMZ . . . OK? Ivan Coric (Jul 30)
- RE: AD in the DMZ . . . OK? Dieter Sarrazyn (Jul 30)
  - Re: AD in the DMZ . . . OK? Ansgar -59cobalt- Wiechers (Jul 31)
  - Re: AD in the DMZ . . . OK? Peter Van Eeckhoutte (Jul 31)
- RE: AD in the DMZ . . . OK? Handy, Mark (IT) (Jul 30)
- RE: AD in the DMZ . . . OK? Ferino Mardo (Jul 30)