RE: [fw-wiz] NTLM authentication from DMZ

From: Frank Knobbe (
Date: 09/19/02

From: Frank Knobbe <>
To: Ben Nagy <>
Date: Thu Sep 19 17:16:01 2002

On Thu, 2002-09-19 at 02:13, Ben Nagy wrote:
> The key threat is that someone will hack your IIS box and then sit on it
> gathering valid password pairs for the LAN domain, and then just access
> C$ on whatever box they like as soon as anyone in the Domain Admins
> group checks their mail. We could argue about countermeasures to that,
> but believe me when I say that once someone has control over the DMZ box
> then you're in some pretty major schtuck unless you have an extremely
> smart IDS or Tingling Spider Senses.

Doesn't have to be that way. The OutlookWebAccess box only needs to have
access to the Exchange server and domain controllers. You could use a DC
in a third DMZ segment and only allow the OWA box to validate accounts
against it. That box in turn can talk to internal DC's. That way you
limit access from the OWA box to internal DC's. Yeah, doesn't prevent
password cracking, but it is still much harder to poke through to the

RPC (and the two 'fixed' Exchange services) only need to be available to
the Exchange server not the whole network.

So the statement 'then just access C$ on whatever box they like' is only
valid if you drop the ball in the firewall config. Neatly tightened,
there is no c$ access.

I agree with the rest, such as:
> Note that I always recommend that Exchange boxen not talk SMTP to the
> outside world - setting up a secure mail relay in the DMZ is cheap, easy
> and can provide some good first-pass filtering / screening capabilities.


Relevant Pages

  • Re: Ex2K3 access through firewall
    ... Ex2K3 running on W2K3 sitting on the DMZ'. ... there must be a list of ports that are required to be open to allow this. ... if the client uses OWA as a workaround for the ... but your Exchange server does not belong in a DMZ. ...
  • Re: OWA on different server than Exchange 2003
    ... >OWA is working ... ... >the internal Exchange server. ... >my mail server if I use http ... ... It is a good idea not to put the FE in the DMZ. ...
  • Re: CA, SSL and OWA
    ... Sorry what I meant to say was put the Exchange Server outside the DMZ this ... > Always use SSL for internet connected OWA. ... > network, for OWA, would require only port 443? ...
  • Re: Exchange + Entourage
    ... But the main problem remains the LDAP related 3268 port. ... And yes I believe if OWA works fine then Entourage ... >> I'd like the Exchange server to be accessible over the Internet, ... >> client is in US and the server is in Europe. ...
  • Re: Handeling Multiple SMTP Email Messages via one Exchange Mailbo
    ... I realize I failed to define my OWA thought properly. ... someone needs to be at the client and open it up, ... clients profile are local to that machine, ... when a user connects to the Exchange server ...