Active Directory and DMZ

Giganews Newsgroups
Subject: Active Directory and DMZ
Posted by:  Michael (Micha…@discussions.microsoft.com)
Date: Mon, 11 Feb 2008

I recently faced a situation where a sharepoint was part of a domain inside a
DMZ. There was a separate domain, inside the corporate network.

The element I was concerned with was the following : the DMZ domain trusted
the internal domain and the sharepoint allowed users from the inside to
access some ressources.

My assumption was that this was a potential security breach since multiples
ports needed to be open between the inside and the DMZ, and that this
architecture could allow an attacker to eventualy get to the inside from the
DMZ.

I am just curious about what would be the 'best practices' regarding that
situation. Of course you can have just two domains, but obviously the people
on the corporate network need to share ressources with partners outside.

What is the recommended way to deal with such a situation ? Is there any
safe way of allowing internal users to simply authenticate on such a shared
ressource with the outside ?

Replies