Given the improvements made in read-only domain controllers (RODCs), is a separate domain in the DMZ with a one-way...
trust relationship still the most secure option when setting up domain services for DMZ security?
The premise of a read-only domain controller is to maximize security where security is often out of your control -- such as physically-vulnerable server rooms in branch offices, as well as DMZs or extranets where traffic is suspect at best. There are other use cases -- such as commercial off-the-shelf software -- that requires a dedicated or otherwise nearby domain controller. The ultimate goal is to prevent an attacker from corrupting Active Directory.
Setting up a read-only domain controller in your scenario can be a great solution -- especially if there's a risk of someone gaining access and not only reading, but also writing to the Active Directory forest. Is it the most secure? While there may be additional cloud-based options that could work in this scenario, the one-way trust aspect of what you're proposing can certainly be helped by a read-only domain controller. Overall, it depends on factors and information not provided, such as physical location, network architecture and the security of the application(s) being used.
In the end, you need to consider the threats, the vulnerabilities and the specific business risks. If you believe they're all manageable or if you perform a penetration test of the environment and everything checks out okay, then you're on the right track.
Ask the Expert:
Have a question about network security? Send it via email today. (All questions are anonymous.)
Learn more about security and read-only domain controllers
Dig Deeper on Enterprise network security
Related Q&A from Kevin Beaver
Compare host IDS vs. network IDS through the pros and cons of each, and learn how more modern systems may be better suited to ensure effective ... Continue Reading
Explore the differing roles of inbound versus outbound firewall rules for enterprise network security and the varying use cases for each. Continue Reading
Different tools protect different assets at the network and application layers. But both network and application security need to support the larger ... Continue Reading