ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: Cloud AD forest in the DMZ


Newbie

Posts: 1
Date: Jan 21, 2011
Cloud AD forest in the DMZ
Permalink  
 


Does anyone have any objection to placing a Domain in the DMZ network?

I was asked today to set up a Domain Controller in the DMZ for a cloud-based initiative that a company is trying to put together. SharePoint is being used for this and needed a domain to use for auth, etc.

When they asked me about how they can send auth requests back to the prod. domain and asked me if I can build a DC in the DMZ, my jaw hit the floor. At first, I suggested that they just open the ports for the server to communicate from the DMZ to the private network and target just the servers that it needed access to, while restricting everything else. At first I thought that was a bad idea....

Going back and forth with the resident security guy that doesn't know a thing about AD design and securing AD, I resigned to building a new forest in the DMZ and then creating a one-way trust with the private forest on the private network. (DMZ domain trusts the private domain) so that we can leverage private domain security principles on the DMZ domain resources (SharePoint), without compromising the integrity of the private domain.
 
Any thoughts on this?


__________________
MwR


Member

Posts: 16
Date: Jun 27, 2012
RE: Cloud AD forest in the DMZ
Permalink  
 


Marcus,

I agree with you that anyone who suggests putting a corporate forest's DC in the DMZ does not really understand the serious implications of doing so! 

I think your idea of putting a new forest in the DMZ and then establishing a one-way trust sounds like the most securable way to approach the requirement.

Chad.



__________________
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me