Announcement

Collapse
No announcement yet.

1 Way trust to DMZ in AD

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 1 Way trust to DMZ in AD

    I am working on a project and i was wondering if anyone could give me some links to explanations as to why creating a one way trust to my DMZ in AD is a security risk? i need to justify this to the proper people so I'm trying to find any and all references I can to help me out.

  • #2
    Re: 1 Way trust to DMZ in AD

    In relation to the DMZ:
    Where is the DC that is trusting?
    Where is the DC that is trusted?

    Who has access to the DMZ such that the DMZ exists in the first place? Business users? Internet users? Anonymous users? Hackers? Bots? Web crawlers? Would this DC be a GC thus maintaining information about all objects in the forest? Would it maintain any FSMO roles? I wouldn't put any reputable DC in a DMZ, much less set up a trust relationship with it. DCs don't make good bastion hosts.
    Last edited by jasonboche; 17th May 2006, 16:19.
    VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
    boche.net - VMware Virtualization Evangelist
    My advice has no warranties. Follow at your own risk.

    Comment


    • #3
      Re: 1 Way trust to DMZ in AD

      Originally posted by jasonboche
      In relation to the DMZ:
      Where is the DC that is trusting?
      Where is the DC that is trusted?

      Who has access to the DMZ such that the DMZ exists in the first place? Business users? Internet users? Anonymous users? Hackers? Bots? Web crawlers? Would this DC be a GC thus maintaining information about all objects in the forest? Would it maintain any FSMO roles? I wouldn't put any reputable DC in a DMZ, much less set up a trust relationship with it. DCs don't make good bastion hosts.
      The DC that is trusted is outside the DMZ. We want to setup a one way trust to the DC inside the DMZ.

      Internet users, and business users currently have access. We have the need to have some employees also access. Yes, this would be a GC.

      Comment


      • #4
        Re: 1 Way trust to DMZ in AD

        This is not a good idea in any case.

        In this case, the trusted domain is in the DMZ, meaning, your protected resources that are not in the DMZ are trusting users coming from the trusted domain in the DMZ.

        You are opening up vital components of your infrastructure to the internet and all the nasty things that are part of the internet.

        I advise against this idea.
        VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
        boche.net - VMware Virtualization Evangelist
        My advice has no warranties. Follow at your own risk.

        Comment

        Working...
        X