There are a number of approaches to setting up Active Directory-empowered applications like Web Active Directory provides. Our web-enabled applications require access to Active Directory from public internet-facing servers and many organizations are wary of the security risks for setting up this type of environment.
We recently completed some research to determine the best practices for setting up web applications in the DMZ that use integrated Windows authentication in IIS and access Active Directory internally behind the firewall. A few simple thoughts come from our research.
- There are four deployment models: No AD (standalone workgroup server with only local accounts); Isolated forest model; Extended corporate forest model; and Forest trust model.
- You cannot run most AD-enabled applications on standalone Windows workgroup servers in the DMZ.
- You have several architectural models to use to allow secure access from a DMZ.
- The isolated forest model and extended corporate forest model using Read Only Domain Controllers (RODCs) provide the lowest security risks.
- All models can be hardened to provide excellent security.
Check out the excellent guide to Active Directory Domain Services in the Perimeter Network (Windows Server 2008) at https://technet.microsoft.com/en-us/library/dd728034(v=ws.10).aspx . This guide provides all the information you need to securely deploy your AD-enabled web applications to the DMZ.