Domain and DMZ – critical consideration

Publish date:

A DMZ separates an external network from directly referencing an internal network. It does this by isolating the machine that is being directly accessed from all other machines. Most of the time the external network is the Internet and what is in the DMZ is the web server but this is not the only possible […]

A DMZ separates an external network from directly referencing an internal network. It does this by isolating the machine that is being directly accessed from all other machines. Most of the time the external network is the Internet and what is in the DMZ is the web server but this is not the only possible configuration. A DMZ can be used to isolate a particular machine within a network from other machines. This might be done for a branch office that needs its own Internet access but also needs access to the corporate network. In DMZ terminology, an internal connection is generally thought of as having more secret or valuable information than an external network. An easy way to understand which is the external and internal network is to ask yourself which network am I protecting from the other. Using DMZ we are protecting our internal domain from outside world that contains valuable information.

It is not a good proposal to place domain controllers or extend internal domain within the DMZ.

The primary advantage of a DMZ is that it provides a neutral ground, typically for services that must be accessed (example, Web service) by both internal and external users.

Domain controllers, by their nature, are some of the most highly valued assets within the organization. These are the servers that control access to the resources on a Windows network, including the Active Directory database. If an attacker is able to compromise a domain controller / domain, he or she essentially owns the entire Windows infrastructure. Therefore, given the immense importance of keeping it protected, placing a domain controller in DMZ is not a preferable solution.

The most common solution we experience is placing DMZ servers as standalone. If Active Directory authentication is required to allow internal users privileged access to those servers, use LDAP authentication back to the domain controller on the internal network. If you do need a domain controller inside the DMZ to facilitate specific services, we can prefer creating a separate Active Directory forest within the DMZ and then using a one-way trust mechanism that permits systems in the DMZ to trust user accounts within the internal forest.

Now the argument is that by having a separate forest in domain we are increasing management complexity. Nevertheless, for simplified management can we compromise a significant security risk? I think we should be very careful regarding domain in DMZ as otherwise the use of DMZ might be completely ineffective!

With windows 2008 R2 directory there is a possibility of extending domain in DMZ by placing RODC. However this solution also has several ifs and buts and may not server purpose of domain joining.

Related Posts

Cybersecurity

Insider Threats: Getting to the left of Boom!

Dan Leyman
Date icon February 15, 2021

Mature, effective insider risk programs take the necessary next step to prevent insider...

Cybersecurity

IAM’s role within your enterprise cyber framework

Chris Williams
Date icon February 10, 2021

A strong IAM infrastructure can help the organization effectively apply its policies and...

Cybersecurity

Cybersecurity in 2021: Four predictions

Geert van der Linden
Date icon February 10, 2021

COVID-19 has heightened the importance of cybersecurity as a business enabler, giving...