-
September 5th, 2005, 12:54 PM
#1
Active Directory Domain in a Gateway Environment
Does anyone have, or know of, any good resources about implementing a Windows/Active Directory Domain in a gateway environment?
Or alternatively any good resources on locking down/securing an active directory domain installation?
The organisation I work for already have an Windows domain implemented in our internal environment but are looking at implementing one in the gateway environment to help manage the servers (including accounts and LDAP, GPO's etc) in that environment. My role is configuration guidelines and advice from a security perspective.
I have a few resources from the Microsoft Site (but if you know of a good resource on the Microsoft site let me know in case I have missed it) but I am keen to find 3rd party resources if there are any out there.
Cheers
-
September 12th, 2005, 09:57 PM
#2
Junior Member
Do you by chance mean a Domain Controller in a DMZ?
-
September 12th, 2005, 10:56 PM
#3
I think that's what he means, but I'm not quite sure.. Have you checked microsoft's website for any form of software downloadable for you? Also, what OS (of Windows) are you using? Sorry, I think that might help.. I don't understand fully what you need, but my guess is a Domain Controller.
Again, check microsoft's website.. I'm pretty sure they have what you're looking for.
-
September 12th, 2005, 11:23 PM
#4
To expand on Spyder's question, what OS does the current's client computers run, and what OS does the server run that you're looking at installing Active Directory on?
AD gives you a lot of control over things that you otherwise would have a much harder time managing in earlier OSes. If you're talking Win2000/2003 here, then yeah, I'd lean towards setting up AD.
Just be careful. If you don't REALLY know what you're doing, you can REALLY screw up your network by messing around with AD.
-
September 13th, 2005, 12:48 AM
#5
Junior Member
Best practice guide from Microsoft
Microsoft AD guide
Also be sure to check out the 'What others are downloading section' at the bottom...
\"Poor planning on your part does not necessitate an emergency on my part.\" -Unknown
-
September 13th, 2005, 01:12 AM
#6
You may want to check out the http://www.sans.org reading room. The section for the GCWN will most likely have papers along the lines of what you need, tho I'm not sure if they have anything specifically for using AD to manage boxes in a screened subnet.
I do know however that a good portion of the GCWN covers Active Directory and Group policy security.
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
-
September 13th, 2005, 04:49 AM
#7
Thanks guys
Am talking about installing a Domain Controller in DMZ environment and creating a domain to manage the servers in that environment.
Currently all boxes in the environment are joined to a workgroup rather then on a domain, this is done for a couple of reasons:
1) Hardening procedures remove required functionality
2) Functionality not needed so removed in hardening procedures
As you can see this is a bit of a which came first type question. Initially DMZ(s) were not large and did not consist of many boxes but this has continued to expand to a point where now management is VERY time consuming.
Would be doing so on a 2K3 domain controller
As I said in original post I have quite a few good resources from the Microsoft Site but was wondering if anyone knew of any other organisations who had similar guidelines or best practices - I have checked NIST etc I was just checking to see if anyone had been through this before and had good resources.
Below are some of the resources I have found that seem good in case anyone is interested or is looking for similar info:
Server and domain isolation: http://www.microsoft.com/technet/sec...c/default.mspx
Best Practices from Microsoft
http://www.microsoft.com/windowsserv...dsecurity.mspx
Windows 2003 Server Security Guide
http://www.microsoft.com/technet/sec...HG/SGCH00.mspx
Quest Software Info
http://whitepaper.informationweek.co...8226/index.jsp
I have put a page with good links for W2K3 resources/technical articles
http://www.microsoft.com/windowsserv...icleindex.mspx
Cheers
-
September 13th, 2005, 05:41 PM
#8
Junior Member
I will make note that at my company we have a policy of no Active Directory computers in the DMZ...only in the internal network....
We have upwards of 100 computers in the DMZ...
\"Poor planning on your part does not necessitate an emergency on my part.\" -Unknown
-
September 14th, 2005, 03:18 AM
#9
Been our policy too historically, I agree that the Domain is not necessary but there is a push for it.
Unfortunately I don't make the decision on creating domain in DMZ (Decision from high above) I am just the poor sucker that has to secure it (as much as possible)
I would hope though if I did my research and found that the risks REALLY ARE too high then my immediate boss would back me up on that. - I am pretty sure he would
Raises an interesting question though, what risks are the 'show stoppers' on a project such as this?
Note: I don't really expect an answer because this is dependent on (among other things) company risk profile, data holdings, regulatory requirements and the technologies we have but am happy to hear thoughts if anyone has any
Cheers
-
September 14th, 2005, 10:13 AM
#10
Hi cabby80,
Here is a site that i find fairly usefull.
real time publishers
It has some very good e-books on administrating and securing Active directory. Hope you find it helpfull.
\"America is the only country that went from barbarism to decadence without civilization in between.\"
\"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
Oscar Wilde(1854-1900)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|