3

From a security point of view, does it make sense to connect the Windows servers that are running within the DMZ and should be reachable from the Web to the AD (running within the core network)? Or rather manage them by a DMZ AD or just standalone?

In my understanding it is a security risk to leave ports open towards the core network, but there may be a demand for an adequate solution when it comes to managing large scale environments? Are there any other approaches out there like e.g. placing them on AWS/Azure and managing through a Cloud AD separated from the network?

schroeder
  • 123,438
  • 55
  • 284
  • 319
user178620
  • 49
  • 2
  • 5
  • It all depends. What services are in your DMZ? What do they require from AD? How is AD deployed in your org? What type of data is being handled? So on and so forth… There are security risks placing services in the cloud as well. – user2320464 Sep 24 '18 at 17:25

2 Answers2

3

Your reasoning is exactly right.

Your DMZ servers being joined to your internal domain is a risk that should be avoided. Usually a separated Active Directory domain for your DMZ, or running each server standalone is the best option.

A small environment might be fine with standalone, but beyond a dozen or so servers, or with a larger team of staff, a separate domain might be easier to manage. You might have a trust existing between your DMZ domain, and internal domain, but it should be managed with care.

You'll always have a need to connect parts of your DMZ to your internal network (proxy servers for example), but it should always be on a strictly as-needed basis. Plus, if your DMZ does become compromised, and someone can steal the credentials of a DMZ Administrator, they won't automatically have access to your internal domain.

Stephen Sennett
  • 421
  • 3
  • 4
  • This answer isn't very insightful IMO. Could use some improvement explaining how/why it's a security risk. Examples could be documented instances of penetration, specifically what defenses are not available using this model, or the mechanics involved that lower the security posture of this model. – apocalysque Aug 06 '19 at 19:34
1

Agreeing with what has been said I'll try to give a bit of a different view. AD is a security risk regardless of where it is used. The amount of time it usually takes an adversary to gain control of a whole network is usually reduced dramatically when there is an AD in place. There are so many PTH\PTT\Golden ticket attack tools out there that I lost count. Of course this is the endless tension between security and being able to manage and operate a network at scale. If it's not absolutely necessary I wouldn't add the DMZ servers to any domain and treat them as external entities, hardening them and providing a different password set for each. Limiting the connectivity into the network only for the necessary business case.

Igliv
  • 361
  • 1
  • 10