Should I enable domain authentication in my DMZ

  • Traditionally at my place of work we have an internal subnet that is completely protected behind our firewall. No ports are allowed to be opened to direct connections from the public network. We also run a DMZ where we only allow specific ports to be opened as they are needed. In addition, we don't allow connections to the internal network to be open from the DMZ, but the internal network can open connections to the DMZ. I would hazard that this is a pretty traditional DMZ-stlye configuration.

    We also host our domain controllers in our internal network. Up to this point, the implication of this has been that we need to manage DMZ password separately since there is no AD authentication. This hasn't been a big deal since we have only had a handful of DMZ servers.

    Now we are about to launch a product that will require significantly more DMZ servers, and during the last phase of our testing we have already had issues with password management on the DMZ systems. The solution would seem to be to punch the hole from the DMZ to the internal network to allow for DMZ servers to be joined to the domain.

    For me this raises 2 questions:

    1. Is this even a good idea?
    2. Assuming that it is not a terrible idea, is it better to allow specific routes for each server to get back to the domain controllers, to allow the entire subnet to get back, or to deploy a DC on the DMZ and only allow that server to get back through.

    I'm hoping that someone out there has some thoughts.

  • halfbit

    halfbit Correct answer

    7 years ago

    Use the "Selective Authentication" feature with a Master and Resource forest

    The best idea, in my opinion, is to configure a separate forest in the DMZ and consider it a resource forest. That is, no user accounts in that forest (except for default users)

    Then use a feature called Selective Authentication to allow only a pre-determined set of users to authenticate to that resource forest. This will limit the exposure of your internal AD forest, yet allow for centralized administration of the accounts.

    Generally speaking, the financial cost of deploying a second forest, ( OS licenses, redundancy, backup and DR considerations, patch maintenance etc) would be better spent on adding multi-factor authentication to your primary account forest, or a subset of those users.

    This is very close to what we ended up doing.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM