MS Exchange 2000 on DMZ

[LenMan]

I have a Win NT network on my LAN with a PDC and several Win NT BDC's. I am in the process of placing a Win 2k server with Exchange 2000 in my DMZ. If I make that Win 2k server a domain controller in its own domain by installing active directory will that cause any type of security breach in my LAN? I know in terms of administration it is inefficient because I have to do everything twice, once on my LAN and once on the AD. What I want to know is am I exposing my network to potential attacks by having active directory on the DMZ?

 

[asdasdasd]

active directory itself is not a security hazard to the DMZ, but the default installation of Exchange 2000 web interface can expose your DMZ to intruder attacks.

vulnerabilities like unicode are very popular among attackers to compromise the target host. you should apply the security patches available from microsoft.

 

[ProximitySteve]

Make sure your firewall port filters between your DMZ and the internet are blocking everything except SMTP, POP3/IMAP, HTTP/HTTPS, DNS, and whatever else specifically needs internet access.

If you are duplicating accounts/passwords on the Exchange2000 box, then I'm not sure you're gaining any security by having two separate AD's. A more secure way of doing it may be to bring Exchange into your secure zone, and perhaps put a trimmed-down mail server for forwarding-only into the DMZ, where it could also be your OWA webserver.

-Steve