Well, the problem is
that our network may be integrated with another network. The other
network has Active Directory and we do not. We have other methods in
place of managing the servers as needed. They use Active Directory for
whatever reasons that they do previous to our relationship with each
other. Now, I fear that the higher ups will want to use their network
model and integrate our existing servers into their AD
Structure.
The relationship
between the two networks is because of a company acquisition. I am part
of that company that does not have the say so in how things are handled ( I
was part of the acquired company).
This is why I was
hoping to find a strong clear to the point article as to why AD should not be
used on bastion hosts. I feel that if I can make a strong enough
argument with supporting documentation, I can at least convince the higher ups
to at least leave good enough alone and maybe consider our method of managing
the servers.
The systems in which
we may be integrated with, currently has over 1000 servers. Our network
has around 250 servers.
With response to what
Roger mentioned, I do not know completely if their internal domain is separate
or integrated with the bastion hosts. My opinion to that however, would
still remain the same. If the domain, separated or integrated with the
internal domain, were to be compromised I believe that all servers within that
domain are at risk.
-----Original
Message-----
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mulnick,
Al
Sent: Friday, April 23,
2004 12:45 PM
To:
'[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active Directory
and Bastion Hosts
I agree
with Roger on that. Active Directory *can* be used, hardened etc. (see
the nsa docs for hardening guides as well as the Microsoft stuff on the
subject). But why? Why do you need the overhead of Active Directory as a
bastion host? Answer that question and you can decide if it fits.
Couple that with the questions at the bottom of Roger's email and you can see
a decision pattern.
My
preference is to not use it in that environment unless I need something from
it I can't get elsewhere. I can get the directory service in ADAM but
there are other pieces of Active Directory I may also need for some
applications.
Al
From: Roger
Seielstad [mailto:[EMAIL PROTECTED]
Sent: Friday, April 23, 2004 12:22
PM
To:
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] Active Directory
and Bastion Hosts
Its
quite possible to use AD on bastion and DMZ hosts. It just shouldn't be the
same forest as your production internal systems. It strikes me that using the
Federated Forests concepts in ADv2 (ie Win2k3) you can deploy a bastion AD
that trusts your internal forest using a one way cross forest trust. There
still is an inherent security risk there, but its then hacking two forests
instead of one.
I
really, REALLY don't think this is worth it unless there are sufficient
numbers of systems for which a unified authentication domain makes sense. For
instance, if you ran a 50 server webfarm, it might make sense, but for 2-3
boxes, local accounts tend to make more sense.
If what
the bastion hosts need to access in AD is a set of attributes (via LDAP), it
makes more sense to turn up an instance of ADAM and use MIIS to one way
replicate data to it, at which point you're only exposing exactly the data
that's required.
Can you
describe the goal/business need that's trying to be addressed
here?
--------------------------------------------------------------
Roger D. Seielstad -
MTS MCSE MS-MVP
Sr. Systems
Administrator
Inovis
Inc.
From: Edwin
[mailto:[EMAIL PROTECTED]
Sent: Friday, April 23, 2004 11:17
AM
To: Active Directory
List
Subject: [ActiveDir]
Active Directory and Bastion Hosts
Active Directory is a great tool
for managing systems, I am sure that we can all agree. However a topic
of discussion has come up raising the question, should AD be used on Bastion
Hosts?
My opinion is no, it should
not. AD is perfect for a secured internal network environment but not
for servers that are constantly being accessed by the anonymous user.
Aside from the anonymous user, you have those users that have configured web
sites on the server that have a "foot in the door" towards direct access to
the machine.
With AD, in my opinion, if one
machine were to be compromised or some other vulnerability discovered, the
potential for all machines connected to the domain to be affected are much
greater. In a network without AD, the compromise of one machine will
generally suggest an isolated machine because it is not connected to other
machines by some means of a trusted connection.
One DLL installed that was not
properly reviewed before install, a security update that was overlooked or
not known about, or any other compromise to the machine could potentially
affect the entire domain.
The above reflects my general
opinion about the matter. My problem is that I do not seem to find any
supporting documents that would support my opinion. Would anyone share
the same thoughts and know of any documents, preferably from Microsoft,
regarding the use of Active Directory in a bastion host
environment?
Thank you all for your responses
in advance.
