Honestly, I wouldn't recommend per-se that you extend your AD into an "Untrust" area of your network, which is exactly what a DMZ is in most cases.
I think it goes a little deeper than just firewall ports when you look at the risk that the organization/business is taking and should be looked at as a whole, instead of an ADMIN requesting, and firewall engineers denying ( but that is there rules and procedures, who are we to say its correct or incorrect, especially when they are taking the risks) If you are going to put a server in a DMZ, I would recommend its very hardened, that there is firewall rules for both inbound and outbound traffic to and from the server that are scrutinized very closely, along with any other compensating controls. Other ideas to protect the communications are IPSEC for communications to internal systems, again what you are doing is extending your trusted perimeter into areas that are very "untrusted", so tread lightly. What works for one companies risk posture will not meet the mustard for anothers. Sincerely, EZ PS: Beware the new IRS fraud emails coming around, since its tax season. Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 -----Original Message----- From: Ken Schaefer [mailto:[email protected]] Sent: Thursday, January 06, 2011 8:43 PM To: NT System Admin Issues Subject: RE: AD and firewall ports I take back the "you don't know what you're talking about bit" - that was harsher than I intended. It was a bit of a gut-reaction to "fire the admin" -----Original Message----- From: Ken Schaefer [mailto:[email protected]] Sent: Friday, 7 January 2011 12:32 PM To: NT System Admin Issues Subject: RE: AD and firewall ports As with anything in security - there are no hard and fast rules - everything is just risk mitigation. Lots of people put member servers in the DMZ. Lots of people have two (or more DMZs). An internal DMZ could be for devices (like proxy servers, DNS servers) that cater only for outbound communications. External DMZ handles incoming requests. Other people create a separate Forest for their DMZ - and their servers are members of that Forest. Etc. Frankly, it sounds like you don't know what you're talking about. Cheers Ken -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Friday, 7 January 2011 11:56 AM To: NT System Admin Issues Subject: Re: AD and firewall ports Get a new admin. Putting an AD member server in a DMZ is stupid. You will have broken the security model for your production environment by doing this. Kurt On Wed, Jan 5, 2011 at 16:53, joseph palmieri <[email protected]> wrote: > > Need assistance with firewall ports and active directory our server admin > submitted a change request to open over 1000 port to support AD. The change > was denied and resubmitted requesting a minimum of 100 ports to support RPC > communications to a member server within our DMZ. Our firewall engineers > stated while monitoring the firewall only 20 ports were communicated over and > 100 ports are not needed. > > > > Has anyone had experience with this issue and can provide some clarity…are > the server admin looking for an easy way out by requesting all these ports? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
