we have two web servers on a DMZ for the world to see, and several intranet
servers that are inside only. We are running AD and the servers are server
2003. Is there a safe way to only have to use AD accounts to allow posting on
the two outside web servers?
I work at a community colege.
Thanks.
Hi,
What do you mean by a "safe way"? Safe from what?
If you don't have a list of threats, it's impossible to protect against
them.
Cheers
Ken
--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
"gordie"
news:EEDC63BB-3B70-4DD8-86DB-8649DD3530A0@microsoft.com...
> we have two web servers on a DMZ for the world to see, and several
> intranet
> servers that are inside only. We are running AD and the servers are server
> 2003. Is there a safe way to only have to use AD accounts to allow posting
> on
> the two outside web servers?
> I work at a community colege.
> Thanks.
Safe from outsiders getting access to the intranet and usernames and
passwords. Since the servers have two lan connections can we have one on the
outside IP address and one on the inside address? We would like to use AD
accounts (which are inside the DMZ) to give faculty permission to post to
their web pages from home.
"Ken Schaefer" wrote:
> Hi,
>
> What do you mean by a "safe way"? Safe from what?
>
> If you don't have a list of threats, it's impossible to protect against
> them.
>
> Cheers
> Ken
>
> --
> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
>
> "gordie"
> news:EEDC63BB-3B70-4DD8-86DB-8649DD3530A0@microsoft.com...
> > we have two web servers on a DMZ for the world to see, and several
> > intranet
> > servers that are inside only. We are running AD and the servers are server
> > 2003. Is there a safe way to only have to use AD accounts to allow posting
> > on
> > the two outside web servers?
> > I work at a community colege.
> > Thanks.
>
>
As soon as you connect your AD servers to anything else, then there is
always the possibility that someone may be able to break into them. You need
to determine what specific threats you wish to gaurd against, and then work
how to mitigate those.
For example, suppose you have an easy to guess password an account that is a
Domain Administrator account. Someone could authenticate to IIS as that
account, and from there, easily take control of your whole domain.
Alternatively, a security vulnerability in IIS, or your web application that
runs on top of IIS, might allow an attacker to have privileges that your
application has. From there, then try to elevate their privileges to domain
level, and then to Domain Admin level.
There are innumerable ways that you can be compromised, but most may not
apply to your environment or may not be risks you think are worth protecting
against.
Steve Riley and Jesper Johannsen's book on securing your network is a good
starting point, as it shows some typical ways that people use to get access
to things they shouldn't have access to, and best practices that you can use
to stop that happening to you.
Cheers
Ken
--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
"gordie"
news:77ABD3E7-A416-48B9-B0D7-1969788E673F@microsoft.com...
> Safe from outsiders getting access to the intranet and usernames and
> passwords. Since the servers have two lan connections can we have one on
> the
> outside IP address and one on the inside address? We would like to use AD
> accounts (which are inside the DMZ) to give faculty permission to post to
> their web pages from home.
>
> "Ken Schaefer" wrote:
>
>> Hi,
>>
>> What do you mean by a "safe way"? Safe from what?
>>
>> If you don't have a list of threats, it's impossible to protect against
>> them.
>>
>> Cheers
>> Ken
>>
>> --
>> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
>>
>> "gordie"
>> news:EEDC63BB-3B70-4DD8-86DB-8649DD3530A0@microsoft.com...
>> > we have two web servers on a DMZ for the world to see, and several
>> > intranet
>> > servers that are inside only. We are running AD and the servers are
>> > server
>> > 2003. Is there a safe way to only have to use AD accounts to allow
>> > posting
>> > on
>> > the two outside web servers?
>> > I work at a community colege.
>> > Thanks.
>>
>>
Thanks Ken, What is the name of the book? all I can find are their blogs.
I guess what I really want to know is if I can have my outside web servers
connected to my domain so that I only have to use domain accounts to give
NTFS permissions for other than viewing web pages? Right now I have to create
individual accounts on each web server. I don't have confidential data on the
web servers, but I don't want to open the door to my Domain Controllers.
Thanks.
"Ken Schaefer" wrote:
> As soon as you connect your AD servers to anything else, then there is
> always the possibility that someone may be able to break into them. You need
> to determine what specific threats you wish to gaurd against, and then work
> how to mitigate those.
>
> For example, suppose you have an easy to guess password an account that is a
> Domain Administrator account. Someone could authenticate to IIS as that
> account, and from there, easily take control of your whole domain.
>
> Alternatively, a security vulnerability in IIS, or your web application that
> runs on top of IIS, might allow an attacker to have privileges that your
> application has. From there, then try to elevate their privileges to domain
> level, and then to Domain Admin level.
>
> There are innumerable ways that you can be compromised, but most may not
> apply to your environment or may not be risks you think are worth protecting
> against.
>
> Steve Riley and Jesper Johannsen's book on securing your network is a good
> starting point, as it shows some typical ways that people use to get access
> to things they shouldn't have access to, and best practices that you can use
> to stop that happening to you.
>
> Cheers
> Ken
>
> --
> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
>
> "gordie"
> news:77ABD3E7-A416-48B9-B0D7-1969788E673F@microsoft.com...
> > Safe from outsiders getting access to the intranet and usernames and
> > passwords. Since the servers have two lan connections can we have one on
> > the
> > outside IP address and one on the inside address? We would like to use AD
> > accounts (which are inside the DMZ) to give faculty permission to post to
> > their web pages from home.
> >
> > "Ken Schaefer" wrote:
> >
> >> Hi,
> >>
> >> What do you mean by a "safe way"? Safe from what?
> >>
> >> If you don't have a list of threats, it's impossible to protect against
> >> them.
> >>
> >> Cheers
> >> Ken
> >>
> >> --
> >> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
> >>
> >> "gordie"
> >> news:EEDC63BB-3B70-4DD8-86DB-8649DD3530A0@microsoft.com...
> >> > we have two web servers on a DMZ for the world to see, and several
> >> > intranet
> >> > servers that are inside only. We are running AD and the servers are
> >> > server
> >> > 2003. Is there a safe way to only have to use AD accounts to allow
> >> > posting
> >> > on
> >> > the two outside web servers?
> >> > I work at a community colege.
> >> > Thanks.
> >>
> >>
>
>
What you can configure are things like:
a) ADAM in your DMZ, and have something like MIIS push accounts out to
ADAM - that way there isn't even a full AD in your DMZ
b) Create a separate child domain (or even a separate Forest) in your DMZ,
and use one-way trust.
c) Put all the webservers internally, and use an ISA Server in your DMZ to
do some reverse publishing.
d) etc
Basically you want to isolate your internal AD servers from external
influences. If you can do that by using some kind of one-way push out to
your DMZ then that would be best.
This is the book I was talking about:
http://www.amazon.com/Protect-Your-Windows-Network-Addison-W esley/dp/0321336437/
Protect Your Windows Network: From Perimeter to Data (The Addison-Wesley
Microsoft Technology Series) (Paperback)
by Jesper M. Johansson (Author), Steve Riley (Author)
Cheers
Ken
"gordie"
news:14D5FC94-9859-44FC-ADB3-C5FFED66C714@microsoft.com...
> Thanks Ken, What is the name of the book? all I can find are their blogs.
> I guess what I really want to know is if I can have my outside web servers
> connected to my domain so that I only have to use domain accounts to give
> NTFS permissions for other than viewing web pages? Right now I have to
> create
> individual accounts on each web server. I don't have confidential data on
> the
> web servers, but I don't want to open the door to my Domain Controllers.
> Thanks.
>
> "Ken Schaefer" wrote:
>
>> As soon as you connect your AD servers to anything else, then there is
>> always the possibility that someone may be able to break into them. You
>> need
>> to determine what specific threats you wish to gaurd against, and then
>> work
>> how to mitigate those.
>>
>> For example, suppose you have an easy to guess password an account that
>> is a
>> Domain Administrator account. Someone could authenticate to IIS as that
>> account, and from there, easily take control of your whole domain.
>>
>> Alternatively, a security vulnerability in IIS, or your web application
>> that
>> runs on top of IIS, might allow an attacker to have privileges that your
>> application has. From there, then try to elevate their privileges to
>> domain
>> level, and then to Domain Admin level.
>>
>> There are innumerable ways that you can be compromised, but most may not
>> apply to your environment or may not be risks you think are worth
>> protecting
>> against.
>>
>> Steve Riley and Jesper Johannsen's book on securing your network is a
>> good
>> starting point, as it shows some typical ways that people use to get
>> access
>> to things they shouldn't have access to, and best practices that you can
>> use
>> to stop that happening to you.
>>
>> Cheers
>> Ken
>>
>> --
>> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
>>
>> "gordie"
>> news:77ABD3E7-A416-48B9-B0D7-1969788E673F@microsoft.com...
>> > Safe from outsiders getting access to the intranet and usernames and
>> > passwords. Since the servers have two lan connections can we have one
>> > on
>> > the
>> > outside IP address and one on the inside address? We would like to use
>> > AD
>> > accounts (which are inside the DMZ) to give faculty permission to post
>> > to
>> > their web pages from home.
>> >
>> > "Ken Schaefer" wrote:
>> >
>> >> Hi,
>> >>
>> >> What do you mean by a "safe way"? Safe from what?
>> >>
>> >> If you don't have a list of threats, it's impossible to protect
>> >> against
>> >> them.
>> >>
>> >> Cheers
>> >> Ken
>> >>
>> >> --
>> >> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
>> >>
>> >> "gordie"
>> >> news:EEDC63BB-3B70-4DD8-86DB-8649DD3530A0@microsoft.com...
>> >> > we have two web servers on a DMZ for the world to see, and several
>> >> > intranet
>> >> > servers that are inside only. We are running AD and the servers are
>> >> > server
>> >> > 2003. Is there a safe way to only have to use AD accounts to allow
>> >> > posting
>> >> > on
>> >> > the two outside web servers?
>> >> > I work at a community colege.
>> >> > Thanks.
>> >>
>> >>
>>
>>