Given the improvements made in read-only domain controllers (RODCs), is a separate domain in the DMZ with a one-way...
trust relationship still the most secure option when setting up domain services for DMZ security?
The premise of a read-only domain controller is to maximize security where security is often out of your control -- such as physically-vulnerable server rooms in branch offices, as well as DMZs or extranets where traffic is suspect at best. There are other use cases -- such as commercial off-the-shelf software -- that requires a dedicated or otherwise nearby domain controller. The ultimate goal is to prevent an attacker from corrupting Active Directory.
Setting up a read-only domain controller in your scenario can be a great solution -- especially if there's a risk of someone gaining access and not only reading, but also writing to the Active Directory forest. Is it the most secure? While there may be additional cloud-based options that could work in this scenario, the one-way trust aspect of what you're proposing can certainly be helped by a read-only domain controller. Overall, it depends on factors and information not provided, such as physical location, network architecture and the security of the application(s) being used.
In the end, you need to consider the threats, the vulnerabilities and the specific business risks. If you believe they're all manageable or if you perform a penetration test of the environment and everything checks out okay, then you're on the right track.
Ask the Expert:
Have a question about network security? Send it via email today. (All questions are anonymous.)
Learn more about security and read-only domain controllers
Dig Deeper on Enterprise network security
Related Q&A from Kevin Beaver
While most mobile platforms provide levels of security from mobile cryptojacking, IT must still be aware of the risks and procedures to address an ... Continue Reading
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.