RE: [ActiveDir] Active Directory and Bastion Hosts

[joe]

Yeah, I would say that your last paragraph hits this on the head. I hear "resistance to change" and "possible loss of job" as the reasons for concern.   The guys have all given great advice here. Don't extend your production forest into an unsecure zone. Either use some other forest or possibly use AD/AM if you are just in need of having certain data available. If it is an authentication thing in the unsecured zone, the separate forest or using the new auth stuff (AzMan I believe...) with AD/AM. If you already have the in house knowledge you could use MIT/Heimdal Kerberos out in the unsecured zone as well but that isn't any more secure than using AD out there in a separate forest, less secure if the people don't know how to run it properly; certainly more overhead in administration.   I am not even one who believes in trusts between the environments, don't want the holes needed for it. Keep the systems separate. That way there is never under any circumstances from anyone at any technical level a concern of "could this possibly happen", they are just simply separate and distinct entities. Should probably be separate groups running them as well unless the number of servers total (internally and externally) don't justify the head count. Why you ask? Because exposed servers have a completely different support/security model than internal servers; different goals for the systems. Different things are going to break and be sore spots. Both environments are important enough to have people who are intimately familiar with them and their configuration and weak points. Difficult to do that for both sides of the fence if there is any real number of servers involved.     joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Friday, April 23, 2004 2:06 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory and Bastion Hosts Ahh yes. The wonderful MAD (merger/acquisition/divestiture) scenario... To think, that little bundle of joy got me nicknamed Iron Chef - Migration by a former boss.   So, as I understand it, they have bastion hosts that are part of their internal forest. I'd call that risky at best. If they were a separate forest, that's another issue altogether - and really as safe as can be reasonably expected.   Having been through my fair share of acquisitions (on both sides, btw), I can tell you with almost complete certainty that going down the integration road is generally well worth it, unless you're expected to be completely separate entities.   For what its worth, being on the acquired rather than the acquiring side does NOT mean you don't have a say in how things are done. In general, being rational and knowing what you're talking about will generally be well received, and you'll find you might get farther than you think. FWIW, my first acquisition (my company was acquired by another), our team (the one being acquired) ran the domain redesign and the integration process. We then ran the next 10-12 acquisitions as well.   I'm still not really clear on what the issue is - not to be offensive, but at this point its coming across as just being resistant to change rather than seeing a real issue that needs to be addressed. That's completely understandable - I've been there myself, more than once.   Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.   From: Edwin [mailto:[EMAIL PROTECTED] Sent: Friday, April 23, 2004 1:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory and Bastion Hosts Well, the problem is that our network may be integrated with another network.  The other network has Active Directory and we do not.  We have other methods in place of managing the servers as needed.  They use Active Directory for whatever reasons that they do previous to our relationship with each other.  Now, I fear that the higher ups will want to use their network model and integrate our existing servers into their AD Structure.   The relationship between the two networks is because of a company acquisition.  I am part of that company that does not have the say so in how things are handled ( I was part of the acquired company).   This is why I was hoping to find a strong clear to the point article as to why AD should not be used on bastion hosts.  I feel that if I can make a strong enough argument with supporting documentation, I can at least convince the higher ups to at least leave good enough alone and maybe consider our method of managing the servers.   The systems in which we may be integrated with, currently has over 1000 servers.  Our network has around 250 servers.   With response to what Roger mentioned, I do not know completely if their internal domain is separate or integrated with the bastion hosts.  My opinion to that however, would still remain the same.  If the domain, separated or integrated with the internal domain, were to be compromised I believe that all servers within that domain are at risk.     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, April 23, 2004 12:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory and Bastion Hosts   I agree with Roger on that.  Active Directory *can* be used, hardened etc. (see the nsa docs for hardening guides as well as the Microsoft stuff on the subject). But why? Why do you need the overhead of Active Directory as a bastion host?  Answer that question and you can decide if it fits.  Couple that with the questions at the bottom of Roger's email and you can see a decision pattern.     My preference is to not use it in that environment unless I need something from it I can't get elsewhere.  I can get the directory service in ADAM but there are other pieces of Active Directory I may also need for some applications.   Al   From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Friday, April 23, 2004 12:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory and Bastion Hosts Its quite possible to use AD on bastion and DMZ hosts. It just shouldn't be the same forest as your production internal systems. It strikes me that using the Federated Forests concepts in ADv2 (ie Win2k3) you can deploy a bastion AD that trusts your internal forest using a one way cross forest trust. There still is an inherent security risk there, but its then hacking two forests instead of one.   I really, REALLY don't think this is worth it unless there are sufficient numbers of systems for which a unified authentication domain makes sense. For instance, if you ran a 50 server webfarm, it might make sense, but for 2-3 boxes, local accounts tend to make more sense.   If what the bastion hosts need to access in AD is a set of attributes (via LDAP), it makes more sense to turn up an instance of ADAM and use MIIS to one way replicate data to it, at which point you're only exposing exactly the data that's required.   Can you describe the goal/business need that's trying to be addressed here?   Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.     From: Edwin [mailto:[EMAIL PROTECTED] Sent: Friday, April 23, 2004 11:17 AM To: Active Directory List Subject: [ActiveDir] Active Directory and Bastion Hosts Active Directory is a great tool for managing systems, I am sure that we can all agree.  However a topic of discussion has come up raising the question, should AD be used on Bastion Hosts?   My opinion is no, it should not.  AD is perfect for a secured internal network environment but not for servers that are constantly being accessed by the anonymous user.  Aside from the anonymous user, you have those users that have configured web sites on the server that have a "foot in the door" towards direct access to the machine.   With AD, in my opinion, if one machine were to be compromised or some other vulnerability discovered, the potential for all machines connected to the domain to be affected are much greater.  In a network without AD, the compromise of one machine will generally suggest an isolated machine because it is not connected to other machines by some means of a trusted connection.   One DLL installed that was not properly reviewed before install, a security update that was overlooked or not known about, or any other compromise to the machine could potentially affect the entire domain.   The above reflects my general opinion about the matter.  My problem is that I do not seem to find any supporting documents that would support my opinion.  Would anyone share the same thoughts and know of any documents, preferably from Microsoft, regarding the use of Active Directory in a bastion host environment?   Thank you all for your responses in advance.