How much security are you going to have to "drop" just to get the Trust to
even be established in the first place,..let alone what you do with it
afterwards? [a LOT] Then there is the NAT Relationship,...which pretty much
has to go away and be replace by a Routed relationship to get solid two-way
communication,..which many Firewalls are not even able to do. MS ISA Server
can do it but most others cannot. Those that cannot do a Routed Relationship
must rely on Static NAT (aka Reverse NAT, or incorrectly called "port
forwarding") over who-knows how many ports to the Internal Domain
Controller.
Yes, the external Domain can inumerate the internal Domain's Accounts and
that is only the beginning,...it just gets worse from there. I'm really
surprised that this is the only thing the firewall guy has complained
about,...there's a whole list of things he hasn't even mentioned yet.
Put up with the "nightmare",...it is supposed to be a
"nightmare",...especially for the Hacker too,...that's the idea. It should
be *expected* to have to use completely different credentials to access the
external Domain. Do not make the accounts on the external Domain to have
the same passwords either,...someone hacks it,...now they have credentials
that work on *both* Domains.
I have no documentation to show you,...this is just too broad with too many
variables to have a single document or two to toss out there. Maybe someone
else may have something, but I don't. Here is one article that is somewhate
related, but isn't quite about the same thing:
Active Directory Replication over Firewalls
http://technet.microsoft.com/en-us/l.../bb727063.aspx
My favorite phrase from Steve in this article:
"Turns the firewall into "Swiss cheese""
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
"John Liles" <> wrote in message
news:052F6AF1-4B08-4508-8448-...
> First off, apologies if this subject has been covered before, but I
> couldn't
> find what I was looking for in this forum.
>
> Our production AD is a single forest with three domains (root and two
> child
> domains). For various reasons, we've also established a couple of
> segregated
> AD domains (each a stand-alone) in our DMZ. Support personnel need access
> to
> these domains for backup and other management tasks, and administering the
> multiple user accounts and rights in these separate domains is getting to
> be
> a real nightmare.
>
> I want to establish one-way trusts with each of the DMZ domains so support
> people can use their credentials from the production domain to administer
> the
> DMZ domains. I'm getting resistance to this from our firewall guy, who
> says
> this may present a security risk; something about the DMZ domain being
> able
> to enumerate accounts in the prod domain.
>
> Can anyone point me to documentation or resources on the security pros and
> cons of the solution I'm proposing?
>
> Thanks in advance.
> --
> JL
Similar Threads
Linear Mode
