0

I don't know what the best practice for kerberos is with regards to security. I was wondering is it a good idea to allow a kerberos server to be public so public servers can use single-sign on or is it something that is only reserved for internal lan.

Also the kerberos server is an Windows Server that has other services on it as well. What would you guys do?

PHGamer
  • 410
  • 1
  • 4
  • 7
  • What is the role of the server? – DanBig Jan 14 '11 at 18:38
  • do you mean the public servers or the windows server? basically we have a bunch of ssh servers I'd like to use SSO for. However the kerberos server is a windows small business server so it kind of has everything on it right now like LDAP and email. – PHGamer Jan 14 '11 at 19:10

1 Answers1

1

Exposing an Active Directory DC to the Internet is a Bad Idea™

A tightly secured Kerberos TGS can be exposed to the net with minimal liability. That said, Windows Server 2003 has minimal ability to configure Kerberos, it just wasn't mean to be exposed to the net directly like that.

Chris S
  • 77,337
  • 11
  • 120
  • 212
  • Bad is an understatement – Zypher Jan 14 '11 at 19:20
  • I thought as much. Although more generally I am curious what people who set up kerberos servers do. Is it common for them to expose it or do they generally reserve SSO for internal use only? – PHGamer Jan 14 '11 at 19:38