Problem solve Get help with specific problems with your technologies, process and projects.

Having separate domains for your DMZs is a good idea

We have two DMZs with a total of 30 Windows 2000 stand alone servers. We have a request to provide a solution to make it easy to administer IDs and passwords on these boxes. One solution would be to put an AD (Active Directory) domain just for the DMZ. Is this a good security solution? If not what do you suggest?

Having separate domains for your DMZs is a good idea. However, you suggest one domain for the two DMZs. If there is sufficient reason to have two separate DMZs, there is likely reason enough to have separate domains as well. Without knowing more about your network setup, it is difficult to know for sure. The different domains in and of themselves probably don't add that much value in the way of security (although they could if the appropriate trust relationships/restrictions are put in place.) However, making it easier to determine who has administrative authority over specific servers is a good thing.

For more info on this topic, check out these SearchSecurity.com resources:
  • Best Web Links: Infrastructure and network security
  • Ask the Expert: Guidelines for designing a DMZ with defined levels of access
  • Featured Topic: Demilitarized zones

  • This was last published in July 2003

    Dig Deeper on Enterprise network security

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.