0

We have a network of servers and computers on an AD Domain. One of the servers runs a PHP based management system (ERP) and we want to have it accessible on the internet. When I say internet I don't mean on google or anything, just an open port with a sub domain of our website. I'm not worried about the security of the ERP itself (PHP login etc) to be clear, but rather of the way it should (or not) be separated from the network. I have read a lot saying that you should not have a public server on an AD domain but what are the options for managing it short of physical access? And even if we have it on AD, we wont be able to have it on a DMZ. We did think of a VPN buts its a bit cumbersome for users though it may well be our only option. Hopefully I'm making sense because I'm at bit of a loss at how this should be setup.

Thanks.

Abdullah Seba
  • 125
  • 3

1 Answers1

0

You could install a second NIC and multi-home the server if the software will support it.

The risk to your AD domain depends on whether the credentials are used to log in to that server. If so, they are at risk and you probably want to manage it with an account that only has permissions to that box.

Yes, someone owning it could be a further risk if you don't notice it, but as long as you're not logging into it with domain admins and the like, it wouldn't necessarily immediately compromise the whole domain.

Long run though, it would be best to get the extra network gear and configure a DMZ and separate it from your internal network and open only absolutely required ports back to AD or anything else internal.

Kyp
  • 303
  • 1
  • 9