Should a webserver in the DMZ be allowed to access MSSQL in the LAN?

Solution 1:

Proper network security states that DMZ servers shouldn't have any access into the 'Trusted' network. The Trusted network can get to the DMZ, but not the other way around. For DB backed web-servers like yours this can be a problem, which is why database servers end up in DMZs. Just because it is in a DMZ doesn't mean it HAS to have public access, your external firewall can still prevent all access to it. However, the DB server itself doesn't have access to inside the network.

For MSSQL servers, you probably need a 2nd DMZ due to the need to talk to AD DC's as part of its normal functioning (unless you're using SQL accounts rather than domain-integrated, at which point this is moot). That second DMZ would be home to Windows servers that need public access of some kind, even if it is proxied through a web-server first. Network Security people get squinty when they consider domained machines experiencing public access getting access to DCs, which can be a hard sell. However, Microsoft doesn't leave much choice in this matter.

Solution 2:

I'm with your networking guys, in theory. Any other arrangement means that when somebody compromises the web server they have a door into your LAN.

Of course, reality has to play a part - if you need live data accessible from both the DMZ and the LAN then you really have few options. I'd probably suggest that a good compromise would be a "dirty" internal subnet that servers like the MSSQL server could live. That subnet would be accessible from both the DMZ and the LAN but firewalled off from being able to initiate connections to either the LAN and DMZ.