Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Active Directory Domain in a Gateway Environment

  1. #1

    Active Directory Domain in a Gateway Environment

    Does anyone have, or know of, any good resources about implementing a Windows/Active Directory Domain in a gateway environment?
    Or alternatively any good resources on locking down/securing an active directory domain installation?

    The organisation I work for already have an Windows domain implemented in our internal environment but are looking at implementing one in the gateway environment to help manage the servers (including accounts and LDAP, GPO's etc) in that environment. My role is configuration guidelines and advice from a security perspective.

    I have a few resources from the Microsoft Site (but if you know of a good resource on the Microsoft site let me know in case I have missed it) but I am keen to find 3rd party resources if there are any out there.

    Cheers

  2. #2
    Junior Member
    Join Date
    Feb 2005
    Posts
    9
    Do you by chance mean a Domain Controller in a DMZ?

  3. #3
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    I think that's what he means, but I'm not quite sure.. Have you checked microsoft's website for any form of software downloadable for you? Also, what OS (of Windows) are you using? Sorry, I think that might help.. I don't understand fully what you need, but my guess is a Domain Controller.

    Again, check microsoft's website.. I'm pretty sure they have what you're looking for.
    Space For Rent.. =]

  4. #4
    To expand on Spyder's question, what OS does the current's client computers run, and what OS does the server run that you're looking at installing Active Directory on?

    AD gives you a lot of control over things that you otherwise would have a much harder time managing in earlier OSes. If you're talking Win2000/2003 here, then yeah, I'd lean towards setting up AD.

    Just be careful. If you don't REALLY know what you're doing, you can REALLY screw up your network by messing around with AD.

  5. #5
    Junior Member
    Join Date
    Aug 2004
    Posts
    16
    Best practice guide from Microsoft


    Microsoft AD guide

    Also be sure to check out the 'What others are downloading section' at the bottom...
    \"Poor planning on your part does not necessitate an emergency on my part.\" -Unknown

  6. #6
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    You may want to check out the http://www.sans.org reading room. The section for the GCWN will most likely have papers along the lines of what you need, tho I'm not sure if they have anything specifically for using AD to manage boxes in a screened subnet.

    I do know however that a good portion of the GCWN covers Active Directory and Group policy security.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  7. #7
    Thanks guys

    Am talking about installing a Domain Controller in DMZ environment and creating a domain to manage the servers in that environment.

    Currently all boxes in the environment are joined to a workgroup rather then on a domain, this is done for a couple of reasons:
    1) Hardening procedures remove required functionality
    2) Functionality not needed so removed in hardening procedures

    As you can see this is a bit of a which came first type question. Initially DMZ(s) were not large and did not consist of many boxes but this has continued to expand to a point where now management is VERY time consuming.

    Would be doing so on a 2K3 domain controller

    As I said in original post I have quite a few good resources from the Microsoft Site but was wondering if anyone knew of any other organisations who had similar guidelines or best practices - I have checked NIST etc I was just checking to see if anyone had been through this before and had good resources.

    Below are some of the resources I have found that seem good in case anyone is interested or is looking for similar info:

    Server and domain isolation: http://www.microsoft.com/technet/sec...c/default.mspx

    Best Practices from Microsoft
    http://www.microsoft.com/windowsserv...dsecurity.mspx

    Windows 2003 Server Security Guide
    http://www.microsoft.com/technet/sec...HG/SGCH00.mspx

    Quest Software Info
    http://whitepaper.informationweek.co...8226/index.jsp

    I have put a page with good links for W2K3 resources/technical articles
    http://www.microsoft.com/windowsserv...icleindex.mspx

    Cheers


  8. #8
    Junior Member
    Join Date
    Aug 2004
    Posts
    16
    I will make note that at my company we have a policy of no Active Directory computers in the DMZ...only in the internal network....

    We have upwards of 100 computers in the DMZ...
    \"Poor planning on your part does not necessitate an emergency on my part.\" -Unknown

  9. #9
    Been our policy too historically, I agree that the Domain is not necessary but there is a push for it.

    Unfortunately I don't make the decision on creating domain in DMZ (Decision from high above) I am just the poor sucker that has to secure it (as much as possible)

    I would hope though if I did my research and found that the risks REALLY ARE too high then my immediate boss would back me up on that. - I am pretty sure he would

    Raises an interesting question though, what risks are the 'show stoppers' on a project such as this?

    Note: I don't really expect an answer because this is dependent on (among other things) company risk profile, data holdings, regulatory requirements and the technologies we have but am happy to hear thoughts if anyone has any

    Cheers

  10. #10
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    Location
    paris
    Posts
    1,003
    Hi cabby80,
    Here is a site that i find fairly usefull.
    real time publishers
    It has some very good e-books on administrating and securing Active directory. Hope you find it helpfull.
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •