RE: AD in the DMZ . . . OK?

["Handy, Mark (IT)" <Mark.Handy () morganstanley com>]

Alternatively, host a separate AD structure purely for your DMZ
infrastructure and have a site to site communication set up through the
firewall if needed.

Mark 

-----Original Message-----
From: Dieter Sarrazyn [mailto:dsr () ascure com] 
Sent: 30 July 2004 06:09
To: security-basics () securityfocus com
Subject: RE: AD in the DMZ . . . OK?

Wouldn't using LDAP be a solution here? Every AD system is in fact also
an ldap server.

If the only thing needed is authentication with userid/password, then
this is fairly simple to do. A special group could be created containing
all users that are allowed to use this type of authentication. Using a
"ldap-read" user which has only read access to this group is pretty
secure I guess.

Regards,
Dieter 

> -----Original Message-----
> From: Roger A. Grimes [mailto:roger () banneretcs com]
> Sent: donderdag 29 juli 2004 4:51
> To: karl; security-basics () securityfocus com
> Subject: RE: AD in the DMZ . . . OK?
>
> Karl, why I can't say I'm an expert on the subject, all I can say is 
> to use caution and think about the risks that are involved (which you 
> are already doing by sending out this email).  If I were to expose any

> AD domain to the DMZ, I would take great pains to secure it using 
> additional methods (i.e. IPSec, SSL with client authentication 
> certificates, VPN, RRAS, Network Access Quarantine Control, etc.) to 
> secure and authenticate the communication channel.  For a couple of
> reasons:
>
> 1.  First AD with W2K and above, likes to use Kerberos as the default 
> user authentication protocol.  Kerberos is significantly stronger than

> its predecessors (LM, NTLM, and NTLMv2).  If users connect to your AD 
> on the DMZ and don't have a secure VPN tunnel that supports Kerberos, 
> then they will connect using one of the earlier protocols, all of 
> which have been successfully attacked using brute force methods.
> Unless you have LM hashing turned off, I maybe able to capture LM 
> password hashes in the traffic and compromise passwords.
>
> 2.  Unless you have SID filtering turned on, it may be possible for a 
> lesser authenticated security principal account (other requirements
> apply) to elevate their privileges using the SID History trick.
>
> 3.  Unless you have your anonymous enumeration permissions set 
> securely, a remote hacker may be able to enumerate your AD objects.
>
> 4.  If I was a malicious hacker and I knew you were authenticating 
> your network user accounts on your DMZ, I would try my best to 
> successfully compromise your DMZ and sniff traffic.
>
> This is just a few things I would worry about.  A secure 
> communication's tunnel and/or a properly designed .NET app can 
> minimize the risk.  So the real answer is that yes, putting AD on the 
> DMZ elevates your risk of compromise, but that elevated risk can be 
> minimized by taking additional countermeasures.  And security risk is 
> always just a cost/benefit trade off.
>
> Roger
>
> **************************************************************
> **********
> ***
> *Roger A. Grimes, Banneret Computer Security, Computer Security 
> Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), 
> A+
> *email: roger () banneretcs com
> *cell: 757-615-3355
> *Author of Malicious Mobile Code:  Virus Protection for Windows by 
> O'Reilly *http://www.oreilly.com/catalog/malmobcode
> *Author of upcoming Honeypots for Windows (Apress)
> **************************************************************
> **********
> ****
>
> -----Original Message-----
> From: karl [mailto:opium () runningriver co uk]
> Sent: Wednesday, July 28, 2004 6:49 AM
> To: security-basics () securityfocus com
> Subject: AD in the DMZ . . . OK?
>
> Hello
>
> One of the developers I work with has come up with a wild and crazy 
> notion to write a .NET app that sits on a DMZ Web server but gets user

> information from the Active Directory on the other side of the 
> firewall..
>
> I'm inexperienced with this, so did some research and found that this 
> kind of thing is possible (plenty of articles on putting Exchange 
> servers in the DMZ), but found myself wondering if this ever happens, 
> i.e. do people actually have their networks set up this way?  Do folk 
> expose/replicate AD to the DMZ in practice?
>
> It's all very well that this stuff is possible, but if it's perceived 
> as insecure and not implementable in the real world . . . . . . .
>
> Thanks for any advice . . . . .
>
> Karl
>
>
> --------------------------------------------------------------
> ----------
> ---
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545

> off any course! All of our class sizes are guaranteed to be 10 
> students or less to facilitate one-on-one interaction with one of our 
> expert instructors.
> Attend a course taught by an expert instructor with years of 
> in-the-field pen testing experience in our state of the art hacking 
> lab.
> Master the skills of an Ethical Hacker to better assess the security 
> of your organization.
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------
> ----------
> ----
>
>
>
>
> --------------------------------------------------------------
> -------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545

> off any course! All of our class sizes are guaranteed to be 10 
> students or less to facilitate one-on-one interaction with one of our 
> expert instructors.
> Attend a course taught by an expert instructor with years of 
> in-the-field pen testing experience in our state of the art hacking 
> lab. Master the skills of an Ethical Hacker to better assess the 
> security of your organization.
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------
> --------------

------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off any course! All of our class sizes are guaranteed to be 10 students
or less to facilitate one-on-one interaction with one of our expert
instructors. 
Attend a course taught by an expert instructor with years of
in-the-field pen testing experience in our state of the art hacking lab.
Master the skills of an Ethical Hacker to better assess the security of
your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
---- 
--------------------------------------------------------
 
NOTICE: If received in error, please destroy and notify sender.  Sender does not waive confidentiality or privilege, 
and use is prohibited. 
 

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------