Thanks for everyone's input. I've got a lot of planning to do! Ken
-----Original Message----- From: Roger Seielstad [mailto:roger.seielstad@;inovis.com] Sent: Thursday, November 07, 2002 7:52 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] IIS behind firewall Actually, there are a lot of secure ways to do this - none of them, however, involve putting IIS outside your firewall. There's no reason that it can't be behind the firewall, with just ports 443 and 80 open from the outside world. The flip side to that is putting it outside your firewall, you need all the NT or AD authentication ports open, plus you have to do a lot of hacking your Exchange servers to set static ports for the services (by default they are dynamicly assigned ports). We happen to use a proxy server in our DMZ that functions as both a reverse proxy (many clients to one server) and an SSL accelerator, with the OWA server inside the firewall, and limited to just the proxy box for connections. ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: Garello, Kenneth [mailto:KGarello@;worcester.edu] > Sent: Wednesday, November 06, 2002 2:19 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] IIS behind firewall > > > Rick, > > Thank you very much for your thoughts. > > My task at hand is to provide Outlook Web Access to our internal mail > system. From your discussion, I take it that there really is > no secure way > to do this. Are there options that I am not aware of? > > Ken > > -----Original Message----- > From: Rick Kingslan [mailto:rkingsla@;cox.net] > Sent: Wednesday, November 06, 2002 11:11 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] IIS behind firewall > > Documents of interest: > > http://www.nsa.gov/snac/win2k/index.html (look for the guide on IIS, > but IIS hardening is worthless unless the base OS is hardened as well) > http://www.microsoft.com/technet/treeview/default.asp?url=/tec > hnet/secur > ity/prodtech/windows/windows2000/staysecure/default.asp (get the > templates!) > http://www.sans.org (their guides are not free, but are quite > worth the > money) > > I'd also look at various places like @Stake, Church of the Swimming > Elephant (COTSE), NTBugTraq for some EXCELLENT information from folks > that do this daily. > > Now, that the documents are cleared up, let's discuss IIS -> AD > authentication across the DMZ. > > First - your IIS servers should be on the outside. At the very least, > they should be in a hard DMZ (behind a bastion or the first firewall, > but in front of a soft DMZ) This is an untrusted zone. It's > considered > untrusted because the Internet data is not 'clean' or secure. Putting > things out here is, in effect, putting systems that must be > accessed by > the public in harm's way. There really is no other way. We need to > allow users to access them - but we can't lock them down as > much as we'd > like. > > The separation that is intrinsic with trusted and untrusted (your IIS > Server in the hard DMZ is in the Internet zone) allows for the IIS > server to access data in the untrusted DMZ. In no way should the IIS > server in the Internet zone be allowed to access anything in > the trusted > zone. What this means is that it is not really considered a 'safe > practice' to allow IIS (or, any system directly) to authenticate to > internal DCs. This is the reason for RADIUS - the authentication > request comes from a trusted third party system (at least as > far as your > network is concerned - the RADIUS server is still on your network, but > the number of ports open and the compromise risk are both low). > > Microsoft authentication requires a slew of ports to be open. Steve > Riley of Microsoft has a good article: > http://www.microsoft.com/SERVICEPROVIDERS/columns/config_ipsec > _p63623.as > p > on how to do replication and authentication over and across firewalls, > but it is still considered a risky practice. It is typically not > considered a 'good thing' to allow outside entities or > untrusted systems > to access trusted systems. In this case, the IIS server is untrusted > because it is designed for direct access by outside entities that you > have no control over. In many ways, you EXPECT it to be compromised - > hence you cannot trust it. On the other hand, you need to be able to > trust that a DC is not compromised and that it is who it says > it is and > that the network is secure. This would be a trusted system - > you trust > the data, the authentication, the server. > > The only way that I would do any type of authentication > across a DMZ is > to have a forest or an AD authentication mechanism (an AD > proxy, if you > will)in the DMZ (not trusted) with IPSec channels to a > trusted DC or set > of DCs that would actually validate the request. > > Right now, it's a bit messy. But, be looking for a couple of things > from MS and third parties (Aelita, Cisco) to pony up, too. I > know that > Cisco has ACS, but I'm not quite as up on that as I should be > to know if > it would help in this scenario. > > Hope this helps.... Any questions, please ask! > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of Garello, > Kenneth > Sent: Tuesday, November 05, 2002 9:22 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] IIS behind firewall > > > Can you point to specific documents that you consider helpful? I'm > especially interested in the last sentence (trusted to untrusted zones > and AD). How can I provide IIS -> AD authentication across > the DMZ and > feel that I have followed best security practices for that situation. > > Any info pointers would be appreciated. > > Ken > > -----Original Message----- > From: Rick Kingslan [mailto:rkingsla@;cox.net] > Sent: Tuesday, November 05, 2002 9:28 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] IIS behind firewall > > By implementing one or more firewalls with either a screened > subnet from > one firewall or a DMZ implemented between two firewalls using stateful > inspection, packet filtering and web/server publishing. Anything less > is asking for a major intrusion and compromise. NAT is not even close > to 'good enough' in this type of scenario. > > Also - the IIS server(s) MUST be on the screened subnet or the DMZ - > never on the internal networkif they are going to be accessed by > untrusted systems. It would also be highly suggested to review > Microsoft/SANS/NSA guidelines for secure operations in this type of > environment. All three put out substantial and important documents > detailing the lockdown procedures for Windows systems and secure > communications from trusted to untrusted zones. > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of Mr Teo > Sent: Tuesday, November 05, 2002 3:26 AM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] IIS behind firewall > Hi all > i am setting up a network under active directory. then my company is > using > class c private adress. however the company also have a nat whoch hide > the > network from the public. so how do i allow for e.g. all my staffs to > host > their IIS by using the firewall? > __________________________________________________ > Do you Yahoo!? > HotJobs - Search new jobs daily now > http://hotjobs.yahoo.com/ > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
