Hey everyone, I'm currently in the process of setting up a DMZ and need some advice on security best practices concerning a file server we want to use for user uploads. I've heard about creating a DMZ forest with a Read-Only Domain Controller (RODC) inside our internal network, then establishing a one-way trust where the DMZ trusts our internal domain while keeping the reverse from happening. This setup might allow us to create a security group for the DMZ file server, but I'm concerned about the potential vulnerabilities it may introduce. Additionally, I'm wondering if it's wise to open RDP to the DMZ. When an RDP session is authenticated, it could reach out to the RODC. Just to clarify, this isn't just any file server—it's an SMB share monitored by an application that uploads files to a main application's database once they're uploaded. I appreciate any guidance or advice you can share!
2 Answers
If you don't have overly strict security needs, you might be making this way too complicated. Instead, consider using a proper file share or upload service, whether on-premises or cloud-based. You can secure it with a reverse proxy or application gateway and still keep it in the DMZ if necessary. By the way, what type of organization are you with?
Why not just go with SharePoint for this? It simplifies things and provides good security out of the box.
It’s not just a basic file server; it’s an SMB share linked to a secondary application that monitors uploads in real-time and sends them to the main app automatically.
We're running an application server with a file server component that ingests data. Internal users need to upload data so it can get processed by the application we’re trying to isolate.