Given the improvements made in read-only domain controllers (RODCs), is a separate domain in the DMZ with a one-way...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
trust relationship still the most secure option when setting up domain services for DMZ security?
The premise of a read-only domain controller is to maximize security where security is often out of your control -- such as physically-vulnerable server rooms in branch offices, as well as DMZs or extranets where traffic is suspect at best. There are other use cases -- such as commercial off-the-shelf software -- that requires a dedicated or otherwise nearby domain controller. The ultimate goal is to prevent an attacker from corrupting Active Directory.
Setting up a read-only domain controller in your scenario can be a great solution -- especially if there's a risk of someone gaining access and not only reading, but also writing to the Active Directory forest. Is it the most secure? While there may be additional cloud-based options that could work in this scenario, the one-way trust aspect of what you're proposing can certainly be helped by a read-only domain controller. Overall, it depends on factors and information not provided, such as physical location, network architecture and the security of the application(s) being used.
In the end, you need to consider the threats, the vulnerabilities and the specific business risks. If you believe they're all manageable or if you perform a penetration test of the environment and everything checks out okay, then you're on the right track.
Ask the Expert:
Have a question about network security? Send it via email today. (All questions are anonymous.)
Learn more about security and read-only domain controllers
Dig Deeper on Enterprise network security
Related Q&A from Kevin Beaver
The WannaCry TCP port 445 exploit returned the spotlight to Microsoft's long-abused networking port. Network security expert Kevin Beaver explains ...continue reading
Enterprise network security expert Kevin Beaver compares and contrasts the roles of an inbound firewall and an outbound firewall. Find out what the ...continue reading
Knowing how to test for security flaws is vital, but it's a complicated and changing field. Expert Kevin Beaver offers security testing basics.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.