What is the best way to manage user accounts for Windows servers in a DMZ? We are expanding our web presence and adding several IIS servers to our DMZ. I would prefer not to manage a bunch of local accounts or, on the other hand, expose our internal Active Directory servers directly to the DMZ either. Is there a standard approach to this problem?
3 Answers
You can create a separate AD for the DMZ and really lock down the domain controllers in the DMZ. That way you have two spots to maintain accounts, and you can take it a step further by establishing a trust so that you can log into your DMZ AD with your internal AD accounts.
- 1,032
- 7
- 14
The Active Directory team at Microsoft has released a guide with best practices for running AD in a DMZ.
Active Directory Domain Services in the Perimeter Network (Windows Server 2008)
The guide covers the following AD models for the perimeter network:
- No Active Directory (local accounts)
- Isolated forest model
- Extended corporate forest model
- Forest trust model
This guide contains direction for determining whether Active Directory Domain Services (AD DS) is appropriate for your perimeter network (also known as the DMZs or extranets), the various models for deploying AD DS in perimeter networks, and planning and deployment information for Read Only Domain Controllers (RODCs) in the perimeter network. Because RODCs provide new capabilities for perimeter networks, most of the content in this guide describes how to plan for and deploy this new Windows Server 2008 feature. However, the other Active Directory models introduced in this guide are also viable solutions for your perimeter network.
- 3,100
- 7
- 23
- 51
- 7,207
- 3
- 34
- 38
It would depend on how you intend to manage the users.
If the users already exist internally, my approach would be to use the existing AD structure.
If it's just a matter of having 10 IIS boxes, that all need the same user account access, then stand up a seperate AD structure inside the DMZ.
If the user accounts only need to exist on each box. Then local accounts will be the best approach.
As with everything, exposure is a trade-off for security. But a properly configured firewall will not put your AD at significant risk, just by joinging your IIS boxes to the domain.
- 977
- 3
- 8
- 17