We had to do something like this for one of our products that's hosted externally. I created a VM just for this, and made it an RODC. I just somehow felt a little better doing that vs. a regular DC, although maybe that's a false sense of security. And of course, ACLs restricting access solely to the IP address(es) of the externally-hosted product.
John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us From: pdw1...@hotmail.com [mailto:pdw1...@hotmail.com] Sent: Thursday, September 22, 2011 1:58 PM To: NT System Admin Issues Subject: LDAP\DC with a public IP We are getting a new product to report variances. It is web-based but using LDAP to authenticate users. The way it works is that a person can log a variance anonymously but then directors can use their AD credentials to log in and report their findings. My issue is that they want my two LDAP servers (which are my dc's) to have a public IP address. Even with ACL and security, I am very uncomfortable with having my DC's be "visible" on the 'net. From past experience of scanning my firewall logs, I know that a lot of times, hackers (or script kiddies) just use a range of public IP's to scan for vulnerabilities. Am I being unduly alarmist in my concern? Do other organizations attach a public IP to their LDAP servers? Thanks for any opinions you can give me. I have no problem going back to the people involved and saying ' I was wrong.' OTOH, I also have no problem telling them no way, you need to come up with a work around. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
