Home page logo

basics logo Security Basics mailing list archives

RE: DMZ and AD Authentication
From: "JM" <jm () mindless com>
Date: Tue, 16 Dec 2003 17:01:16 -0000

I would recommend using some sort of reverse proxy for external
authentication, and then permitting them users to access the AD for

If you need more info contac me direct.


-----Original Message-----
From: jamesworld () intelligencia com [mailto:jamesworld () intelligencia com] 
Sent: 16 December 2003 02:57
To: Geoff.Shatz () pchelps com
Cc: security-basics () securityfocus com
Subject: RE: DMZ and AD Authentication


I second what Shawn said.  If you can avoid it...don't do it.

If however, you are stuck with an order from up high.

Connect to the AD box thru the firewall via IPSEC.

If you use NIDS, however, this will blind it to any attack's that might come
thru is the web server was compromised.

I would recommend using the Cisco Security Agent (formerly Okena) on the web

The other thing you could do is use a Cisco ACS server to front end the AD
authentication and have the web server authenticate to the ACS via RADIUS or
TACACS.  You will need to code the RADIUS integration (unless you can find
it somewhere :-)



At 11:25 12/12/2003, Shawn Jackson wrote:

        All you need LDAP access (TCP 389) to your Catalogue server.
Even if you lock down your connection to the AD box, if someone 
compromises your IIS server they can gain a lot of information from 
your server. When we used this method with C# .Net we needed to have 
LDAP and Microsoft-DS (TCP 445) open to the server.

        Honestly, I would advise against placing a server in the DMZ 
that will access any part of your AD infrastructure; it's just not 
secure enough. If you absolutely had to authenticate with AD I'd 
suggest creating a simple program (Webpage (ASP, CGI, and CF) or .Net 
Service/Remote App that would take two parameters (Username and
Password) and return a value, then just parse that value to get your 
logon result. Place that app on a 'non-critical' server and it will be 
far more secure then accessing AD directly.

        I can give you the code I use to access AD in C# and suggested 
implementation if you wish.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521

Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

-----Original Message-----
From: Geoff.Shatz () pchelps com [mailto:Geoff.Shatz () pchelps com]
Sent: Friday, December 12, 2003 7:33 AM
To: security-basics () securityfocus com
Subject: DMZ and AD Authentication

We are in a situation where we are currently planning the move of our 
web server from an externally hosted solution to hosting the web server 
in house. As part of this move we will be implementing a new internal 
application that will run on the web server that will require 
authentication based on Active Directory account info. Obviously this 
will require that the web server has the ability to communicate with 
the AD domain controllers. That being the case will it still be 
possible to place this web server on a DMZ or will the amount of open 
ports required between the DMZ and LAN for the required authentication 
process severely mitigate the benefits of placing the server in the DMZ 
in the first place? Any and all suggestions and or strategies to 
accomplish this in the most secure fashion are welcome and appreciated.






  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]