We have a need to allow a cloud-based service to do lookups against our internal AD. Their site will use same sign-on by looking up usernames and passwords over secure ldap. This is the first real authentication configuration I'm doing against external services, so just getting my feet wet with this one. The vendor says their product will work with an RODC, and we're already extended on the schema to use one.
So, I've proposed adding an RODC in a "perimeter" subnet, rather than having them connect all the way through to our main internal server subnet and talk to writeable DCs. The RODC would be in a new AD site, with no subnets assigned, so internal clients shouldn't ever attempt to authenticate to it. There are minimal network based firewall rules to allow certain systems access (such as the writeable DCs), and then I'm going to work on two-way windows firewall rules to lock it down more, and then (carefully after testing) make sure those are enforced by GPO with no override options. A) Is this overkill? I'm trying to think of it from a security standpoint, but that isn't always my best angle, and don't want to do something if there is no real benefit. Even though the box is here in our physically secured datacenter (as opposed to a branch office), it is going to be somewhat more exposed to external connections, which none of our existing DCs are. Firstly, it makes sense to me that we shouldn't poke a hole right through to our central server network. Using an RODC seems like it would protect us more from account changes if the box were compromised. And, firewall rules that can't be modified could at least mitigate some threat of what else they can get to if the box were to be compromised. B) Since I haven't really set up an RODC before, as I read through, I'm seeing information about configuring the password caching that I'm not sure if we need. The idea is that their server(s) will talk to this server to verify username and password information, allowing our users to log onto their website. If I'm reading correctly, if an RODC doesn't have the password cached (which it has none by default), it will go talk to a writeable DC to get that information. In the case of a branch office, it might make sense to allow certain users to cache locally in case the WAN link is down, but I'm not dealing with that here. So, am I correct in thinking that I don't need to configure it to cache anything additional for passwords (no PRP settings/changes required), as the RODC will look those up each time from a writeable DC, and pass it along? I'm not worried about a traffic hit, and if all of our writeable DCs are down the RODC is likely offline too and the datacenter is dark. Or, do I need to plan on configuring it to cache the passwords of just those users who need to authenticate on the external website? C) Suggestions? Anything else to consider? I'm not sure what others do for security with these kinds of service connections. Thanks! Bonnie
