Domain Authenication with the public dmz

[Ken Schaefer]

You could have a separate domain in the DMZ.

But my personal suggestion is look at ISA Server web publishing. That way,
you can keep the IIS box inside the corporate network (where it can talk to
the AD boxes), and you only need to allow port 443 from the ISA Server box
through to the IIS box. ISA Server acts as a reverse proxy between the
internet, and IIS.


firewall----ISA Server----firewall----IIS------AD
|--Internet---| |----------DMZ-------------| |----Corp Network---|

Cheers
Ken


"super bidder via .NET 247" <anonymous@dotnet247.com> wrote in message
news:%23XNzsm0IFHA.3356@TK2MSFTNGP12.phx.gbl...
(Type your message here)

--------------------------------
From: super bidder

Can someone share what they are doing as regards authentication within the
DMZ. The dudes that program want to use either LDAP or domain
authentication for users that reside internally to an external web site.
They cannot seem to understand the security ramifcations. Does anyone have
this situation. Right now, we will not approve this to go through the
firewall.

-----------------------
Posted by a user from .NET 247 ([url]http://www.dotnet247.com/[/url])

<Id>hQb4o2PgMUmg/UO5iNbB3A==</Id>

[WJ]

What good does it make if your AD cannot be seen from outside ? The worst
back-breakers I heard so far are all from inside !

John

------------------
"super bidder via .NET 247" <anonymous@dotnet247.com> wrote in message
news:%23XNzsm0IFHA.3356@TK2MSFTNGP12.phx.gbl...
(Type your message here)

--------------------------------
From: super bidder

Can someone share what they are doing as regards authentication within the
DMZ. The dudes that program want to use either LDAP or domain
authentication for users that reside internally to an external web site.
They cannot seem to understand the security ramifcations. Does anyone have
this situation. Right now, we will not approve this to go through the
firewall.

-----------------------
Posted by a user from .NET 247 ([url]http://www.dotnet247.com/[/url])

<Id>hQb4o2PgMUmg/UO5iNbB3A==</Id>

[Ken Schaefer]

Huh? Exposing your AD to the entire internet flies in the face of every
best-practise out there. I would hope you're joking, but you don't seem to
have a :-) anywhere in your post...

Cheers
Ken

"WJ" <JohnWebbs@HotMail.Com> wrote in message
news:u264lVFJFHA.3356@TK2MSFTNGP12.phx.gbl...
: What good does it make if your AD cannot be seen from outside ? The worst
: back-breakers I heard so far are all from inside !
:
: John
:
: ------------------
: "super bidder via .NET 247" <anonymous@dotnet247.com> wrote in message
: news:%23XNzsm0IFHA.3356@TK2MSFTNGP12.phx.gbl...
: (Type your message here)
:
: --------------------------------
: From: super bidder
:
: Can someone share what they are doing as regards authentication within the
: DMZ. The dudes that program want to use either LDAP or domain
: authentication for users that reside internally to an external web site.
: They cannot seem to understand the security ramifcations. Does anyone
have
: this situation. Right now, we will not approve this to go through the
: firewall.
:
: -----------------------
: Posted by a user from .NET 247 ([url]http://www.dotnet247.com/[/url])
:
: <Id>hQb4o2PgMUmg/UO5iNbB3A==</Id>
:
:

[WJ]

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:%23JMe94FJFHA.1280@TK2MSFTNGP09.phx.gbl...

> Huh? Exposing your AD to the entire internet flies in the face of every
> best-practise out there. I would hope you're joking, but you don't seem to
> have a :-) anywhere in your post...
>

I am indeed very serious. Your house is exposed daily to the street, right ?
All you can do is to protect it with a good set of keys (with double locks).
If you loose your house key/car key, then you loose everything in it. The
same holds true to AD. Why bother to invent AD without making it to use
outside of your FW ?

This is funny but was true, I had a co-worker who bought a $50,000+ German
Porch (can run up to 200+ KM/Hour). He dared not to drive it on a super
highway for fear of being HIT and he could never achieved maximum speed
because he was afraid of being ticket by police (55MPH on most U. S.Highway
then). Huh ! What a WASTE ! I said to him!!!

So, a good and experienced administrator can secure an AD to work anywhere
on EARTH. That is all it takes !

John

[Ken Schaefer]

"WJ" <JohnWebbs@HotMail.Com> wrote in message
news:edzcdvOJFHA.2980@TK2MSFTNGP10.phx.gbl...
:
: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
: news:%23JMe94FJFHA.1280@TK2MSFTNGP09.phx.gbl...
: > Huh? Exposing your AD to the entire internet flies in the face of every
: > best-practise out there. I would hope you're joking, but you don't seem
to
: > have a :-) anywhere in your post...
: >
:
: I am indeed very serious. Your house is exposed daily to the street, right
?
: All you can do is to protect it with a good set of keys (with double
locks).
: If you loose your house key/car key, then you loose everything in it. The
: same holds true to AD. Why bother to invent AD without making it to use
: outside of your FW ?

Security best practise calls for a layered approach - don't put all your
eggs in one basket, and do not trust to the infallability of the products
you are using. That way, the next time a buffer overflow is discovered in
ProductX, you may not be affected because no one can reach that product to
exploit it from outside your trusted network. If you do not need to expose
your AD structure, then don't do so, because it's an unnecessary risk that
gains you very little, if any, benefit.

Instead of hawking simplistic pithy anecdotes ("why buy an expensive car if
you're not going to drive it on the freeway?") start reading some of the
best practice guides out there.

Cheers
Ken




:
: This is funny but was true, I had a co-worker who bought a $50,000+ German
: Porch (can run up to 200+ KM/Hour). He dared not to drive it on a super
: highway for fear of being HIT and he could never achieved maximum speed
: because he was afraid of being ticket by police (55MPH on most U.
S.Highway
: then). Huh ! What a WASTE ! I said to him!!!
:
: So, a good and experienced administrator can secure an AD to work anywhere
: on EARTH. That is all it takes !
:
: John
:
:

[WJ]

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:%23phDi8PJFHA.3064@TK2MSFTNGP12.phx.gbl...

> ...and do not trust to the infallability of the products you are using.

To a point you must be able to have confident in a product you are using
because it meets your goal.Without trsut, you cannot continue the business
transaction.

> ...start reading some of the best practice guides out there.
>

Believe me I do take good advices. I just do not do all the things that's
written in the BP manuals. In other word, I do not believe all the things
the Bible says :) ! What I meant here is ".be.flexible".

John