Documents of interest: http://www.nsa.gov/snac/win2k/index.html (look for the guide on IIS, but IIS hardening is worthless unless the base OS is hardened as well) http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/prodtech/windows/windows2000/staysecure/default.asp (get the templates!) http://www.sans.org (their guides are not free, but are quite worth the money)
I'd also look at various places like @Stake, Church of the Swimming Elephant (COTSE), NTBugTraq for some EXCELLENT information from folks that do this daily. Now, that the documents are cleared up, let's discuss IIS -> AD authentication across the DMZ. First - your IIS servers should be on the outside. At the very least, they should be in a hard DMZ (behind a bastion or the first firewall, but in front of a soft DMZ) This is an untrusted zone. It's considered untrusted because the Internet data is not 'clean' or secure. Putting things out here is, in effect, putting systems that must be accessed by the public in harm's way. There really is no other way. We need to allow users to access them - but we can't lock them down as much as we'd like. The separation that is intrinsic with trusted and untrusted (your IIS Server in the hard DMZ is in the Internet zone) allows for the IIS server to access data in the untrusted DMZ. In no way should the IIS server in the Internet zone be allowed to access anything in the trusted zone. What this means is that it is not really considered a 'safe practice' to allow IIS (or, any system directly) to authenticate to internal DCs. This is the reason for RADIUS - the authentication request comes from a trusted third party system (at least as far as your network is concerned - the RADIUS server is still on your network, but the number of ports open and the compromise risk are both low). Microsoft authentication requires a slew of ports to be open. Steve Riley of Microsoft has a good article: http://www.microsoft.com/SERVICEPROVIDERS/columns/config_ipsec_p63623.as p on how to do replication and authentication over and across firewalls, but it is still considered a risky practice. It is typically not considered a 'good thing' to allow outside entities or untrusted systems to access trusted systems. In this case, the IIS server is untrusted because it is designed for direct access by outside entities that you have no control over. In many ways, you EXPECT it to be compromised - hence you cannot trust it. On the other hand, you need to be able to trust that a DC is not compromised and that it is who it says it is and that the network is secure. This would be a trusted system - you trust the data, the authentication, the server. The only way that I would do any type of authentication across a DMZ is to have a forest or an AD authentication mechanism (an AD proxy, if you will)in the DMZ (not trusted) with IPSec channels to a trusted DC or set of DCs that would actually validate the request. Right now, it's a bit messy. But, be looking for a couple of things from MS and third parties (Aelita, Cisco) to pony up, too. I know that Cisco has ACS, but I'm not quite as up on that as I should be to know if it would help in this scenario. Hope this helps.... Any questions, please ask! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of Garello, Kenneth Sent: Tuesday, November 05, 2002 9:22 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] IIS behind firewall Can you point to specific documents that you consider helpful? I'm especially interested in the last sentence (trusted to untrusted zones and AD). How can I provide IIS -> AD authentication across the DMZ and feel that I have followed best security practices for that situation. Any info pointers would be appreciated. Ken -----Original Message----- From: Rick Kingslan [mailto:rkingsla@;cox.net] Sent: Tuesday, November 05, 2002 9:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IIS behind firewall By implementing one or more firewalls with either a screened subnet from one firewall or a DMZ implemented between two firewalls using stateful inspection, packet filtering and web/server publishing. Anything less is asking for a major intrusion and compromise. NAT is not even close to 'good enough' in this type of scenario. Also - the IIS server(s) MUST be on the screened subnet or the DMZ - never on the internal networkif they are going to be accessed by untrusted systems. It would also be highly suggested to review Microsoft/SANS/NSA guidelines for secure operations in this type of environment. All three put out substantial and important documents detailing the lockdown procedures for Windows systems and secure communications from trusted to untrusted zones. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of Mr Teo Sent: Tuesday, November 05, 2002 3:26 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] IIS behind firewall Hi all i am setting up a network under active directory. then my company is using class c private adress. however the company also have a nat whoch hide the network from the public. so how do i allow for e.g. all my staffs to host their IIS by using the firewall? __________________________________________________ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
