Question: Centralized authentication in the DMZ
Hmmm...
A small shop with 25 employees and 3 departments - accounting, engineering, and marketing. The company will use windows 2000 with an AD controller. Thus, RBAC and centralized authentication.
This part I understand and makes sense.
Now, let's say this same company will host 20 IIS6 web servers (ALL in a SINGLE load balanced group). The best place to house these servers would be in a DMZ.
Requirement: The concerns are security and also ease of deploying code across the 20 servers.
Question: Would you want to centralize authentication on these 20 servers, maybe in it's own separate domain so no employee accounts are on the new domain? OR would you stick with a decentralized method of authentication? i.e. just use local account authentication across the board.
Any thoughts?
Thanks.
-Xevious
A small shop with 25 employees and 3 departments - accounting, engineering, and marketing. The company will use windows 2000 with an AD controller. Thus, RBAC and centralized authentication.
This part I understand and makes sense.
Now, let's say this same company will host 20 IIS6 web servers (ALL in a SINGLE load balanced group). The best place to house these servers would be in a DMZ.
Requirement: The concerns are security and also ease of deploying code across the 20 servers.
Question: Would you want to centralize authentication on these 20 servers, maybe in it's own separate domain so no employee accounts are on the new domain? OR would you stick with a decentralized method of authentication? i.e. just use local account authentication across the board.
Any thoughts?
Thanks.
-Xevious
Comments
-
RussS Member Posts: 2,068 ■■■□□□□□□□So ... exactly what is the issue?
The company will use windows 2000 with an AD controller. Thus, RBAC and centralized authentication.
Check ... works for me
Now ...
Now, let's say this same company will host 20 IIS6 web servers (ALL in a SINGLE load balanced group). The best place to house these servers would be in a DMZ.
Ok - now these webservers in the DMZ are a separate network from your standard domain for the employees? If thats the case then now really an issue - the webservers are WEB servers and your employees wouldn't be accessing them with regular account logins.
At least that is my take on the issue. Let me know if I am barking up the wrong tree.www.supercross.com
FIM website of the year 2007 -
xevious Member Posts: 59 ■■□□□□□□□□Let me try it again.
My question is really about when to go with a domain controller in the DMZ and centralize authentication? Or maybe not.
If we're talking about just 2 servers in the DMZ, I think it's best to just leave it in a workgroup (stand-alone), rename the admin acct, and harden the os accordingly. maybe have different passwords for each server. This seems to be the most secure manner of setup. BTW: we're dealing with Windows 2000/2003.
Ok, what if the number of servers in the DMZ is something crazy - like 100 web servers. I wouldn't know how to set this up by the book, since I haven't come across a book that describes this type of detail in a DMZ nor having real experience with 100 web servers.
I can't see all 100 servers being stand-alone and all with different admin passwords, that would be a nightmare to manage. On the otherhand, if there was a central controller to authenticate a user in a webadmin group, life would be easy.
Then I was thinking, what if a hacker was able to control one of the servers and he find his way to the AD controller? If he can find out an admin account, he'll be able to take over the entire DMZ.
Just trying to apply what I've read during my sec+ cert process and DMZs, taking it one step further... err... at least in my brain.
Thanks in advance for any suggestions/comments.
-Xevious -
RussS Member Posts: 2,068 ■■■□□□□□□□OK - understood.
Now - time to ask yourself a question.
With a cluster of say 100 servers, what is their purpose? When looking at this I am thinking a web farm doing hosting perhaps?
Now from experience I would suggest Johan knows a little more about this than myself, but here is how we do it ...
5 servers - all separate and running *nix.
All machines have root with separate passwords and we SSH to them by IP address.
Each machine is running multiple websites for multiple clients.
Each client has an independent login to do any necassary maintenance on their sites as we only own and operate the servers and do not do any web work at all.
The reason I am thinking webhosting is that I can not think of too many occasions when multiple servers are used in a DMZ environment. Hopefully someone else out there will pipe in with something a little more comprehensible than my ramblings .... hint hint hint .... come on guys & gals ... lmaowww.supercross.com
FIM website of the year 2007 -
xevious Member Posts: 59 ■■□□□□□□□□Yes. It would be in a hosting environment and correct again, it'll be a web farm doing nothing but handling high traffic web access.
I'm just playing devils advocate to my own question...
I remember an interview question where I was asked how comfortable I was with setting up windows 98. No problem. Well, the next question was what if I had to install 20 like PCs in 2 days? Err... I didn't have the right answer, I said 'umm... I'll have to work over night.' haha... (the interviewer wanted to know if I was familiar with imaging tools)
So, applying that valuable lesson, I am comfortable with securing 1 or 5 servers in a DMZ, but what if the number was much greater?
Russ - Thanks for your feedback. At least I'm still on par when the number of servers are relatively low.
-Xevious -
RussS Member Posts: 2,068 ■■■□□□□□□□Hey - imaging ... not a problem.
Imaging a server farm can be done pretty much like imaging a bunch of machines. Make a workable unit and then clone it.
Of course in a web farm each machine will have only the base services and all of the various data fot the websites would need to be loaded seperately.www.supercross.com
FIM website of the year 2007