Server security

Question

Hi,
Would it have many other problem (in security), if Windows server having active directory, is directly linked to outside internet? How to make it better on the server?

Answer 1

Hello @Peter_1985 ,

Thank you for posting here.

Based on my understanding, AD domain is a security boundary. We suggest not to expose AD to the Internet, which may cause many security problems.

Here is a similar case we can refer to.

Should I expose my Active Directory to the public Internet for remote users?
https://serverfault.com/questions/573681/should-i-expose-my-active-directory-to-the-public-internet-for-remote-users/573721

Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 2

You can't. There's no way to guarantee security unless completely disconnected from internet.

Usually you'll want to host your web applications on other servers on network and leave AD alone.

The more incoming port you allow external IP to directly connect to your domain controller, the more likely the machine will be compromised with new discovered vulnerabilities.

If a web server on your network (without DMZ setup) is compromised, it'll only serve as jump-board to launch other attacks toward computers in your corporate network. If your domain controller is compromised, consider all computers joined in the domain pwned because by default "Administrator" of domain controller is also "Administrators" of all computers in domain. Instead of launching attack to the computers via other vulnerabilities, the bad guys can just "deploy" their trojans to every computers on the domain.

This is the reason why direct access of domain controller from external IP is strongly discouraged. And for case you need domain access to remote sites (say, to create cross-domain trust with other business bodies in corporate environment), the connection should always by protected with VPN.

Answer 3

Hello @Peter_1985 ,

I am happy to receive your reply.

AD port requirements, we can refer to links below.

Active Directory and Active Directory Domain Services Port Requirements
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)?redirectedfrom=MSDN

Active Directory Replication over Firewalls
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb727063(v=technet.10)?redirectedfrom=MSDN

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 4

How to adjust network configuration to ensure it's safe, having AD inside?

Simplest solution is to keep your active directory on the internal LAN. Might use a DMZ setup for servers that need public facing network access.

--please don't forget to Accept as answer if the reply is helpful--

Answer 5

DSPatrick,
For one server having one domain, how to make use of other AD (staying in other machine)? Is other AD under another domain?