2

Do you prefer to run their IIS webservers inside a DMZ that is part of the greater organisation's AD or do you prefer to sacrifice ease of management and user control over (possibly perceived) security?

We currently run our IIS boxes outside of the domain and this enables us to keep a one-way rule with our firewall (no traffic from DMZ to LAN except 1 SQL port). However, this means I now have to use non-AD authentication and manually synchronize passwords across boxes.

Which is more secure?

found an answer here Active Directory in a DMZ

Community
  • 1
mjallday
  • 894
  • 2
  • 8
  • 14

3 Answers3

3

you can get the best of both worlds. AD LDS can be implemented and federated with your domain see this article for an overview

Jim B
  • 23,938
  • 4
  • 35
  • 58
  • We've created our own, full blown AD inside our DMZ - no trust with our main AD. Helps with the server organization tremendously - think Group Policy for security, integrated WSUS etc. Although it certainly causes issues with DMZ to LAN SQL authentication :-) – Christopher_G_Lewis Jul 08 '09 at 18:28
  • 1
    You can certainly do that, you can fix the the authentication issues by federating the AD's. Federation is not a trust. Here's more detail that you wanted about how it works: http://msdn.microsoft.com/en-us/library/bb498017.aspx – Jim B Jul 08 '09 at 19:17
0

We have off-the-shelf product that requires us to run the software on an domained IIS server. What's more, at least one of the OTS packages we have is designed to be internet-facing and required to be domained. Some might call this a poorly designed application, but we have to use it so the question is a tad moot.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
0

We run our IIS servers in a domain -- their own domain. When app pool identity and services run in a domain account, it is much easier to control access to shared files, data and other resources on different machines. Their are security, scalability, and ease of use benefits to this model. I can't think of any risk to putting the IIS server in a domain, that is difficult to manage.

Precipitous
  • 319
  • 3
  • 9