WebApp Sec mailing list archives

RE: AD in the DMZ

From: "Harper.Matthew" <Matthew.Harper () SunTrust com>
Date: Tue, 2 Nov 2004 07:44:06 -0500

Have you looked at ADAM (AD application mode)?  "pure" LDAP and AD
compatible with none of the annoying AD hooks. 

-----Original Message-----
From: Non Proprio [mailto:non () synaxis org] 
Sent: Sunday, October 31, 2004 5:07 PM
To: Jeffrey Gorton
Cc: webappsec () securityfocus com
Subject: Re: AD in the DMZ

Wow, great minds think alike. My developers have the exact same thing in
mind.

I'm torn between getting 'business done" and demanding a better form of
identity management. The problem is that there's not time to really
implement a full solution, so what I'm faced with is having to get
customers connected in a world of Microsoft AD. 

Since the development team has bitten into Microsoft hook, line and
sinker we're faced with a real business issue.

What about Microsoft's "identity management" application? Has anyone
fiddled with this in reference to web apps?

On Oct 28, 2004 04:26 PM, Jeffrey Gorton <jpgorton () swbell net> wrote:

I am aware of an internet-facing web application that is running on 
Microsoft SharePoint and using an Active Directory forest (that 
resides in a separate firewalled network segment) for user 
authentication.  There is also a one-way trust relationship with the 
AD forest on the internal network (the DMZ AD trusts the internal AD) 
so that internal users can access DMZ resources.  There is a firewall 
between the two AD forests, but the LDAP and necessary Windows ports

are open.


An Internet user authenticates with a DMZ AD account.  An internal 
user authenticates into the internal AD and then accesses DMZ 
resources (the DMZ AD contacts the internal AD for authentication).

It seems to me that, if the SharePoint server is compromised, the 
attacker will be able to enumerate users on the internal AD.  Is this 
so?  What are the problems with this design?

Thanks.

************************************************ 
The information transmitted is intended solely 
for the individual or entity to which it is  
addressed and may contain confidential and/or 
privileged material. Any review, retransmission, 
dissemination or other use of or taking action 
in reliance upon this information by persons or 
entities other than the intended recipient is 
prohibited. If you have received this email in 
error please contact the sender and delete the 
material from any computer. 
************************************************

Current thread:

AD in the DMZ Jeffrey Gorton (Oct 29)
- Re: AD in the DMZ Non Proprio (Nov 01)
- <Possible follow-ups>
- RE: AD in the DMZ Harper.Matthew (Nov 05)
- RE: AD in the DMZ David Mowers (Nov 05)
  - RE: AD in the DMZ Jeffrey Gorton (Nov 05)