Re: Web conferencing server and AD

[Brent Huston <lbhlists () gmail com>]

Inline.

--Brent Huston, CEO & Security Evangelist, MicroSolved, Inc.

On Jan 2, 2008, at 12:43 PM, Dan Lynch wrote:

> Your company has chosen to implement a web-based teleconferencing
> solution for all internal users, as well as outside vendors and such.
> The conferencing app runs on IIS on a "hardened" Windows server
> "appliance".
>
> Do you:
>
> A) install the box on the internal network
> B) install the box on a DMZ network
> C) install the box directly on the internet

C, if I have the capability to create a private, secure and monitored  
environment. B is second choice if I have to handle the ACL issues.  
For me, A would be a violation of our security policy - no access from  
the Internet directly to an internal resource.


> The conferencing app allows meeting organizers to select invitees  
> from a
> list that's built from your Active Directory. Do you,
>
> A) install the box as a member server and allow it to dynamically
> populate the list
> B) install the box as a standalone server and use LDAP to periodically
> connect to your domain controller and sync a user list
> C) install the box as a standalone server and periodically export a  
> CSV
> list from AD to manually import to the appliance

C would be my first choice, since it is the more secure approach and  
could be managed with a methodology to minimize the amount of data  
transferred to the outside and the complexity of firewall ACLs. I  
would, however, work on a method for automating this process using a  
push of specific data from inside to out using scripting/scheduling to  
remove the manual process resources required.

If those were not possible, then I would likely adopt B, once I  
performed an appropriate risk assessment and got proper upper  
management approvals on the identified and minimized accepted  
risks.    ;-)

> Thoughts?
>
>
> Dan Lynch, CISSP
> Information Technology Analyst
> County of Placer