BDC in DMZ?

[kruptos]

Hello All,

Just wanted to run something past you all.

I am mapping the network for a new company that I am working for and have run into some things that I think are a no-no. Just want to validate my thoughts here.

1. We run our own web server and have it in a DMZ using a WatchGuard Firebox. It is part of the Optional Zone in the Firebox Configuration. During the mapping of the network I come to realize that its a NT4 Domain, with one PDC and 3 BDC's. Currently one of the BDC's is the Web Server which is in the DMZ.......I dont think this is a good idea, but wanted to see if anyone can think of any reason why we would have it there? I mean it would be bad if someone got root on it and basicly could get all the user and domain info right?? No NT authentication is used for any kind of extranet. On top of that there ar 25 critical patches that need to be applied to the server.


2. The WINS server is also in the DMZ, correct me if Im worng again, but if its in the DMZ isnt it possible to hack the system and get the entire WINS database, which would enumerate the entire network in one shot?? We do not have local DNS up yet, but that is one of my first projects. I was thinking of getting DNS up inside my Private Network, and then getting rid of the WINS server.

Just looking for other points of view for when I go to the boss and let him know we may be in a bad position.


Thanks for any feedback........

[slarty]

Having a DC do any other tasks at all is a really bad idea; someone who cracks your web server (for instance by using an IIS exploit on it), will be able to download the password hashes from the DC, and crack them. This will probably yield the passwords of a lot of your users (especially if lanman hashes are enabled).

Also, the amount of access that a DC needs to the other DCs (to synchronise) is more than you would normally want to give a web server.

So I recommend - don't do it. A NT web server should either be standalone or a domain member. I personally recommend standalone if there's only one (or two)

Unless there is some really good security reason to do it (example: requirement to authenticate internal users using NTLM). Even in that case it might be a better idea to have a domain trust or subdomain. In the latter case of course you'll have to upgrade to windows 2000 which is a really good idea from a security standpoint anyway.

I don't know a lot about WINS; in my experience it doesn't work very well. In fact, enumerating your network is a pretty minimal risk compared to getting all the passwords anyway.

Slarty

[mohaughn]

Totally agree with Slarty. Domain controllers should be domain controllers and nothing else. Also a very bad idea to have a domain controller in your DMZ.

For the WINS. Aside from having the ability to get a pretty accurate mapping of what your network looks like(number of machines, name of machines, etc..), if somebody were to get ahold of that machine and decide to be malicious, taking out WINS on an NT4.0 network can cause major headaches to end users that are using netbios to do their name resolutions.

Your DMZ should really only contain those services that need to be accessed from the outside world, but still need some level of interaction with your intranet.

If you have the equipment/money/time, the best configuration would be for a seperate network to be established for the external webservers. Totally remove them from your intranet DMZ and establish a new network perimeter just for those services.

[kruptos]

Thanks for the feedback all,

That is pretty much what I thought, just wanted to confirm before i go stomping into the bosses office.



Thanks again!!!

[Lv4]

yah I agree with slarty too... funny thing is I just ran in to this very thing here at my work.

About three weeks ago I started to build a new network/IP map of all the machines we have. In the course of this mapping I found a BDC that was a WINS server sitting in our DMZ. I have NO idea how or why it was put there... and to top it off it was about 5 months out of date on patchs. The network folks couldn't answer as to why it was there, the application folks couldn't either, and there was no change control reflecting the move of this box.

Anyway, I had them move it immediately as the exposure that the box gave us was just too high. I try to run a fairly tight ship for security here, but sometimes idiot things like this happen :-/

So yes, get that thing out of your DMZ and try to find out what they were thinking when they did put it there.