From: Taylorville, IL
That's becuase you boys don't know your layer 7 DMZ's from your elbows
"Don't be silly".... what do you mean? We are learning here.....
By the time you allow what you need for the thing to be a Domain Member from the DMZ,...you hardly have any DMZ left,...you've just already allowed all the important stuff that the DMZ is trying to prevent in the first place.
From: United Kingdom
Sorry, you know I like a bit of fun
Depends on your definition of DMZ; hence why perimeter network is a better name. To me, you have trusted and untrusted perimeter networks as they just represent different security zones for different services.
Domain members in a 'trusted perimeter' network is fine by me, assuming you protect this network with something that understands the application protocols involved and add host protection too...being able to pre-auth connections and use web publishing with ISA is a good example of when a perimeter network becomes "more trusted"...YMMV and probably does
In a pivot attack, if the attacker gets remote code execution on that server at an "adequate level", for example, it can easily ARP mitm your "domain traffic"(whatever "domain" means) without the perimeter in place, unless your switches are smart enough and configured appropriatelly or some other anti-ARP mitm measures are in place. With the perimeter in place, it may need to use a double pivot attack to get where it wants to, and even so it may not get where it wants. As Jason said, YMMV...