Should I place a Read-Only Domain Controller in a DMZ?

« Other questions
0
0

Recently I was asked to evaluated the possibility of placing a Read Only Domain Controller in a DMZ.

My first thoughts were to disallow the request as I did not feel comfortable placing the crown jewels in the DMZ. Does anyone understand the inherent risks of placing and RODC in the DMZ and why we should never do this?

From a perspective of assuming compromise, we have then opened up a whole in the firewall to be able to navigate directly into internal domain controllers. This in my mind makes it easier for a threat actor to attack the DCs without having to perform any lateral movement or minimal lateral movement from an internet exposed domain joined web servers.

Any thoughts would be greatly appreciated.

Thank you.

  • You must to post comments
0
0

Short answer. Don’t do it.

Long answer. Don’t do it. Why do it? I can see no reason for this topology. There just needs to be a better, more secure (!) solution to to the problem you’re trying to solve. You’ve answered your own question in the post to be honest…. ’nuff said.

  • You must to post comments
Showing 1 result
Your Answer

Please first to submit.