Well, the problem is that our network may be integrated with another network. The other network has Active Directory and we do not. We have other methods in place of managing the servers as needed. They use Active Directory for whatever reasons that they do previous to our relationship with each other. Now, I fear that the higher ups will want to use their network model and integrate our existing servers into their AD Structure.
The relationship between the two networks is because of a company acquisition. I am part of that company that does not have the say so in how things are handled ( I was part of the acquired company).
This is why I was hoping to find a strong clear to the point article as to why AD should not be used on bastion hosts. I feel that if I can make a strong enough argument with supporting documentation, I can at least convince the higher ups to at least leave good enough alone and maybe consider our method of managing the servers.
The systems in which we may be integrated with, currently has over 1000 servers. Our network has around 250 servers.
With response to what Roger mentioned, I do not know completely if their internal domain is separate or integrated with the bastion hosts. My opinion to that however, would still remain the same. If the domain, separated or integrated with the internal domain, were to be compromised I believe that all servers within that domain are at risk.
-----Original Message-----
I agree with Roger on that. Active Directory *can* be used, hardened etc. (see the nsa docs for hardening guides as well as the Microsoft stuff on the subject). But why? Why do you need the overhead of Active Directory as a bastion host? Answer that question and you can decide if it fits. Couple that with the questions at the bottom of Roger's email and you can see a decision pattern.
My preference is to not use it in that environment unless I need something from it I can't get elsewhere. I can get the directory service in ADAM but there are other pieces of Active Directory I may also need for some applications.
Al
From: Roger Seielstad
[mailto:[EMAIL PROTECTED] Its quite possible to use AD on bastion and DMZ hosts. It just shouldn't be the same forest as your production internal systems. It strikes me that using the Federated Forests concepts in ADv2 (ie Win2k3) you can deploy a bastion AD that trusts your internal forest using a one way cross forest trust. There still is an inherent security risk there, but its then hacking two forests instead of one.
I really, REALLY don't think this is worth it unless there are sufficient numbers of systems for which a unified authentication domain makes sense. For instance, if you ran a 50 server webfarm, it might make sense, but for 2-3 boxes, local accounts tend to make more sense.
If what the bastion hosts need to access in AD is a set of attributes (via LDAP), it makes more sense to turn up an instance of ADAM and use MIIS to one way replicate data to it, at which point you're only exposing exactly the data that's required.
Can you describe the goal/business need that's trying to be addressed here?
Roger --------------------------------------------------------------
|
- RE: [ActiveDir] Active Directory and Bastion Hosts Roger Seielstad
- RE: [ActiveDir] Active Directory and Bastion Hosts Mulnick, Al
- RE: [ActiveDir] Active Directory and Bastion Hosts Roger Seielstad
- RE: [ActiveDir] Active Directory and Bastion Hosts Mulnick, Al
- RE: [ActiveDir] Active Directory and Bastion Hosts Drew Gainor
- RE: [ActiveDir] Active Directory and Bastion Hosts Rich Milburn
- RE: [ActiveDir] Active Directory and Bastion Hosts Mulnick, Al