WebApp Sec mailing list archives
Re: AD in the DMZ
From: Non Proprio <non () synaxis org>
Date: Sun, 31 Oct 2004 16:06:55 -0600 (CST)
Wow, great minds think alike. My developers have the exact same thing in mind. I'm torn between getting 'business done" and demanding a better form of identity management. The problem is that there's not time to really implement a full solution, so what I'm faced with is having to get customers connected in a world of Microsoft AD. Since the development team has bitten into Microsoft hook, line and sinker we're faced with a real business issue. What about Microsoft's "identity management" application? Has anyone fiddled with this in reference to web apps? On Oct 28, 2004 04:26 PM, Jeffrey Gorton <jpgorton () swbell net> wrote:
I am aware of an internet-facing web application that is running on Microsoft SharePoint and using an Active Directory forest (that resides in a separate firewalled network segment) for user authentication. There is also a one-way trust relationship with the AD forest on the internal network (the DMZ AD trusts the internal AD) so that internal users can access DMZ resources. There is a firewall between the two AD forests, but the LDAP and necessary Windows ports are open. An Internet user authenticates with a DMZ AD account. An internal user authenticates into the internal AD and then accesses DMZ resources (the DMZ AD contacts the internal AD for authentication). It seems to me that, if the SharePoint server is compromised, the attacker will be able to enumerate users on the internal AD. Is this so? What are the problems with this design? Thanks.
Current thread:
- AD in the DMZ Jeffrey Gorton (Oct 29)
- Re: AD in the DMZ Non Proprio (Nov 01)
- <Possible follow-ups>
- RE: AD in the DMZ Harper.Matthew (Nov 05)
- RE: AD in the DMZ David Mowers (Nov 05)
- RE: AD in the DMZ Jeffrey Gorton (Nov 05)