Comments? - DMZ and Domain Security

G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Cross posted from ms.public.security:

I am interested to hear anyone's comment on the following:

Organisation has internal LAN and an Extranet with Web and mail
servers located in a DMZ. The firewall is a Cisco device.

At present both the DMZ and the LAN are separate domains, which means
that staff often have to be registered to both domains. This linked
with password complexitiy/expiry policy creates much confusion.

So we are considering opening a hole in the firewall between the dmz
and the inside to allow us to set up a one way trust relationship
between the two domains, with the DMZ domain trusting the LAN domain

In this way staff will only be registered on the inside whilst trusted
3rd parties would only be registered on the DMZ.

Now I know in theory that his ought to be secure (there is no outside
access), but supposing that the dmz got compromised in some unforseen
way, what is the potential for this to provide a staging post to
compromising the inside. Is this risk more or less than having the two
completely isolated domains?

I know there are no definitive answers to this question but I would
warmly welcome hearing the views of anyone prepared to share them.

Many thanks,
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Hi Alan-

If the trust is one-way (where the DMZ domain is trusting the LAN domain)
then you shouldn't have any concerns regarding the LAN domain being at risk
along the trust if the DMZ domain gets compromised.

From a general security standpoint, it may be a good idea to open, or
redirect and then open, the ports needed for the trust to work well. Here
are some KB articles which may help with the firewall aspect:

How to Configure a Firewall for Domains and Trusts (179442)

How To Configure RPC Dynamic Port Allocation to Work with Firewall (154596)
--
Tim Springston
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.

"Alan Morris" <alan@address.withheld.com> wrote in message
news:lil7g0t8o62dnunjtidcdjlo0hg5bb2k4g@4ax.com...
> Cross posted from ms.public.security:
>
> I am interested to hear anyone's comment on the following:
>
> Organisation has internal LAN and an Extranet with Web and mail
> servers located in a DMZ. The firewall is a Cisco device.
>
> At present both the DMZ and the LAN are separate domains, which means
> that staff often have to be registered to both domains. This linked
> with password complexitiy/expiry policy creates much confusion.
>
> So we are considering opening a hole in the firewall between the dmz
> and the inside to allow us to set up a one way trust relationship
> between the two domains, with the DMZ domain trusting the LAN domain
>
> In this way staff will only be registered on the inside whilst trusted
> 3rd parties would only be registered on the DMZ.
>
> Now I know in theory that his ought to be secure (there is no outside
> access), but supposing that the dmz got compromised in some unforseen
> way, what is the potential for this to provide a staging post to
> compromising the inside. Is this risk more or less than having the two
> completely isolated domains?
>
> I know there are no definitive answers to this question but I would
> warmly welcome hearing the views of anyone prepared to share them.
>
> Many thanks,