Web Server in DMZ

Thanks for the reply

Have a web server already part of our domain (not a dc) and want to move it
out to the DMZ. The web guy is having a fit because there are numerous apps
etc running on it that rely on domain accounts. He would rather it remain a
member, and open those ports necessary on the friewall to allow this. I say
it's not worth the security that will be sacraficed.


"Jeff Cochran" <jcochran.nospam.DeleteThis@naplesgov.com> wrote in message
news:405ca733.82408627@msnews.microsoft.com...
 > On Wed, 17 Mar 2004 21:10:20 -0500, "stan" <no.DeleteThis@email.com> wrote:
 >
  > >Is it advisable to have your web server a member of your domain and
residing
  > >in the DMZ.
 >
 > No. Make it a standalone server in a wrokgroup.
 >
  > >Does this pose a greater risk than if it was not?
 >
 > A compromised domain member server has more access than a compromised
 > stand alone server.
 >
  > > What are the
  > >minimum port(s) needed to allow authetication from DMZ.
 >
 > How are you authenticating and is the system in a DMZ a DC? A better
 > option would be authenticating to a local account and if needed
 > passing that to the internal system for access, but all this really
 > deoends on what you really need to accomplish.
 >
 > Jeff<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Web Server in DMZ 

On Thu, 18 Mar 2004 12:35:22 -0500, "stan" <no RemoveThis @spam.com> wrote:

 >Have a web server already part of our domain (not a dc) and want to move it
 >out to the DMZ. The web guy is having a fit because there are numerous apps
 >etc running on it that rely on domain accounts. He would rather it remain a
 >member, and open those ports necessary on the friewall to allow this. I say
 >it's not worth the security that will be sacraficed.

You're sacrificing secuirty one way or the other anyway.

Jeff

 >"Jeff Cochran" <jcochran.nospam RemoveThis @naplesgov.com> wrote in message
 >news:405ca733.82408627@msnews.microsoft.com...
  >> On Wed, 17 Mar 2004 21:10:20 -0500, "stan" <no RemoveThis @email.com> wrote:
  >>
   >> >Is it advisable to have your web server a member of your domain and
 >residing
   >> >in the DMZ.
  >>
  >> No. Make it a standalone server in a wrokgroup.
  >>
   >> >Does this pose a greater risk than if it was not?
  >>
  >> A compromised domain member server has more access than a compromised
  >> stand alone server.
  >>
   >> > What are the
   >> >minimum port(s) needed to allow authetication from DMZ.
  >>
  >> How are you authenticating and is the system in a DMZ a DC? A better
  >> option would be authenticating to a local account and if needed
  >> passing that to the internal system for access, but all this really
  >> deoends on what you really need to accomplish.
  >>
  >> Jeff
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Web Server in DMZ