Deploying Active Directory in a DMZ

We often have customers who deploy Web Active Directory applications to a DMZ hosting public-facing web servers. These applications often access an internal Active Directory behind the firewall and authenticate users from the internal Active Directory domain. This can present an enhanced security risk over internal web servers and we have some guidance for you to choose the best, most secure deployment model for your scenario.  When deploying Active Directory in a DMZ it’s important to use best practices.

We completed some research to determine these best practices for setting up web applications in the DMZ that use integrated Windows authentication in IIS and access Active Directory internally behind the firewall. A few simple thoughts come from our research.

  1. There are four deployment models: No AD (standalone workgroup server with only local accounts); Isolated forest model; Extended corporate forest model; and Forest trust model.
  2. You cannot run most AD-enabled applications on standalone Windows workgroup servers in the DMZ.
  3. You have several architectural models to use to allow secure access from a DMZ.
  4. The isolated forest model and extended corporate forest model using Read Only Domain Controllers (RODCs) provide the lowest security risks.
  5. All models can be hardened to provide excellent security.

Check out the excellent guide to Active Directory Domain Services in the Perimeter Network (Windows Server 2008) for more information. This guide provides all the information you need to securely deploy your AD-enabled web applications to the DMZ.