Server security

Peter_1985 2,526 Reputation points
2021-04-21T08:30:20.98+00:00

Hi,
Would it have many other problem (in security), if Windows server having active directory, is directly linked to outside internet? How to make it better on the server?

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,388 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,205 questions
Accepted answer
  1. Daisy Zhou 18,721 Reputation points Microsoft Vendor
    2021-04-22T02:43:38.2+00:00

    Hello @Peter_1985 ,

    Thank you for posting here.

    Based on my understanding, AD domain is a security boundary. We suggest not to expose AD to the Internet, which may cause many security problems.

    Here is a similar case we can refer to.

    Should I expose my Active Directory to the public Internet for remote users?
    https://serverfault.com/questions/573681/should-i-expose-my-active-directory-to-the-public-internet-for-remote-users/573721

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

16 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dave Patrick 426.1K Reputation points MVP
    2021-04-23T03:07:51.727+00:00

    Not sure what this even means. I was simply suggesting to use either a member server or stand alone server in DMZ for direct connection to internet. I can't see any good reason a windows domain controller should be direct connected to internet.

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments
  2. Peter_1985 2,526 Reputation points
    2021-04-23T03:49:03.773+00:00

    Hi,
    What is the configuration if one server connecting to internet, is referring to another member server?

    0 comments
  3. Dave Patrick 426.1K Reputation points MVP
    2021-04-23T14:11:24.557+00:00

    The better option to access your domain controller via internet is via a VPN connection to your network. (goes without saying; do not install RRAS role on domain controller)

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments
  4. Reza-Ameri 16,836 Reputation points
    2021-04-23T14:20:59.47+00:00

    It is not easy to say Yes or No to your question and it really depends on your architecture.
    In case you have to interface your Active Directory to the internet make sure you have proper protection and monitoring in place and continuedly observe for potential breach and attack.
    It is recommended to setup AD locally inside your local network (or DMZ) and the part interface to the internet should be AzureAD and sync with your local AD because AzureAD has better protection in place.
    However, in case you have sufficient resources and strategy to protect your AD over the internet , then you could do it considering you have followed required standards.