WebApp Sec mailing list archives
RE: AD in the DMZ
From: "David Mowers" <davemo () winse microsoft com>
Date: Thu, 4 Nov 2004 10:52:24 -0800
Hello, I'm not sure what Microsoft's "identity management" application is referring to. Can you provide more information on what you think this might be? To be sure, the concern raised in this thread is a common one and you can find Microsoft documentation that says both the "trust-based" and the "shadow account" approaches are possible for the extranet/intranet access scenario. The original issue in this thread must be considered through a threat modeling process. Yes, enumeration of AD accounts is something that would be possible today, but any alternative design should be subjected to the same concern. The fact of the matter is, if the external-facing web application can authenticate some number of users then a compromise of that server would almost surely provide a way to enumerate the same set of users. This would be true if the organization set up separate (shadow) accounts in the extranet AD or used some other completely different kind of identity store such as an LDAP server or database. On the plus side for using the architecture described, it provides user convenience (SSO) and also reduces greatly the management overhead of maintaining multiple accounts. More accounts almost always adds additional points of security vulnerability, so you might be trading a problem you know about (and can design/deploy/operate to protect against) for a problem you don't know about or for a system that can't be managed effectively. I would recommend that anyone carefully consider all relevant aspects of the architecture before deciding that one alternative is more secure then another. Dave Mowers Microsoft Security Solutions Check out the Microsoft Identity and Access Management Solution Series at http://www.microsoft.com/technet/security/topics/identity/idmanage/defau lt.mspx -----Original Message----- From: Non Proprio [mailto:non () synaxis org] Sent: Sunday, October 31, 2004 2:07 PM To: Jeffrey Gorton Cc: webappsec () securityfocus com Subject: Re: AD in the DMZ Wow, great minds think alike. My developers have the exact same thing in mind. I'm torn between getting 'business done" and demanding a better form of identity management. The problem is that there's not time to really implement a full solution, so what I'm faced with is having to get customers connected in a world of Microsoft AD. Since the development team has bitten into Microsoft hook, line and sinker we're faced with a real business issue. What about Microsoft's "identity management" application? Has anyone fiddled with this in reference to web apps? On Oct 28, 2004 04:26 PM, Jeffrey Gorton <jpgorton () swbell net> wrote:
I am aware of an internet-facing web application that is running on Microsoft SharePoint and using an Active Directory forest (that
resides in a
separate firewalled network segment) for user authentication. There
is also
a one-way trust relationship with the AD forest on the internal
network (the
DMZ AD trusts the internal AD) so that internal users can access DMZ resources. There is a firewall between the two AD forests, but the
LDAP and
necessary Windows ports are open. An Internet user authenticates with a DMZ AD account. An internal
user
authenticates into the internal AD and then accesses DMZ resources
(the DMZ
AD contacts the internal AD for authentication). It seems to me that, if the SharePoint server is compromised, the
attacker
will be able to enumerate users on the internal AD. Is this so? What
are
the problems with this design? Thanks.
Current thread:
- AD in the DMZ Jeffrey Gorton (Oct 29)
- Re: AD in the DMZ Non Proprio (Nov 01)
- <Possible follow-ups>
- RE: AD in the DMZ Harper.Matthew (Nov 05)
- RE: AD in the DMZ David Mowers (Nov 05)
- RE: AD in the DMZ Jeffrey Gorton (Nov 05)