AD domain on DMZ

[Hau Nguyen]

Hello all,
I would like your opinion on creating a domain on the DMZ
network to manage half a dozen of 2000 base servers that
serve www, ftp service, and other front-end applications,
and 50 users. Is having a domain my only choice or is
there a better approach and conventional method. I posted
a related message couple of weeks ago about either a sub
or new domain is prefered for this situation. Thanks for
your input.

Hau

 

[Simon Geary]

Opinions vary on this one but I personally wouldn't want to put Active
Directory in a DMZ. Instead, you could leave your DC's behind the firewall
and use an IPSec tunnel to manage them. Or, as I think I would do with half
a dozen servers, just leave them in a workgroup and manage them
individually. It's more work and administrative overhead but it is more
secure, leaves less holes in the firewall's LAN side and reduces the number
of open ports in the DMZ that are available for attack from the Internet.

 

[Guest]

Thank you, Simon. If the DMZ and internal domain are
not "connected"; that is, if the user and password
combinations are maintained separately. Do you still
consider it a bad approach? I just need an
authentication mechanism in the DMZ side that's
consistent across the servers, and don't need it tie with
the internal network. Thanks again!

Hau

 

[Simon Geary]

If you don't have AD in the DMZ then passwords will have to be maintained
separately, that's just the drawback of not having a domain. You can just
use local accounts on the DMZ servers, that's not a problem at all although
it does make it harder to manage. Well worth the extra effort, though, in
terms of security.