RE: [fw-wiz] NTLM authentication from DMZ

From: Frank Knobbe (fknobbe@knobbeits.com)
Date: 09/20/02


From: Frank Knobbe <fknobbe@knobbeits.com>
To: firewall-wizards@honor.icsalabs.com
Date: Fri Sep 20 14:42:01 2002


On Fri, 2002-09-20 at 01:56, Ben Nagy wrote:
> Well, according to the MS docs [1], you need to open the works to get
> the domain and trust thing to work. Note that the MSKB article also says
> that the OWA box needs to be in the same domain as the Exchange server
> [2](I can't believe that's true - can anyone confirm it doesn't work
> with trusts?).

I'm not 100% sure, but I think at one installation the OWA server was in
its own domain with a one-way trust to the internal domain. Most setups
I've seen were using the same domain though :(

> Are you saying that you can block nb-session and have everything still
> work?

Nope. You need to have NetBIOS (or Kerberos) enabled to the domain
controller, but not the whole network[1].

> If that's so we're much better off, but I'm not sure I see much
> benefit in this isolated DC in another segment; if not then there's just
> a trivial two step attack via nb-session as soon as a good enough
> password turns up. The only way to stop that would be to have a firewall
> that knew enough about MS NBT to stop file sharing but allow whatever
> else is supposed to run over tcp/139.

Basically true, and it doesn't help any with password harvesting. But it
is a second step which you may be able to detect much easier. For
example, on that DC you could deny login rights from the network. The
authentication from the OWA box is still passed through, but no one
would be able to login to the box through the network. I know, makes
maintenance a pita, but since you are not running anything on it besides
domain services...

> In theory I know that you
> shouldn't need nb-session at all, but I have distant memories of the
> solution barfing without it - it has, however, been a good few years
> since I was involved in one of these.

Hehe... yeah, NetBIOS sucks, doesn't it? :) This is actually where
Kerberos may come in handy (then again, there are flaws in Kerberos that
prevent certain design from implementation, such as the inability to NAT
MS-Kerberos...)

> I guess that's all out of date now anyway, since Exchange 2000 uses
> different ports altogether. I'm no Win2K guru, but SMB over TCP (port
> 445) is on the list of required ports for the 2K solution [3], and
> that's used for accessing SMB shares "without the extra layer of NBT"
> [4]. Presumably you'd need to be able to block that to get this thing to
> work securely with an Exchange 2000 box.

I'm sure Ex2000 will bring it's own set of problems. I don't have much
experience with it since I abandoned Microsoft all together... :)

Cheers,
Frank

[1] This is a footnote just for the heck of it. Seems that everyone is
using those now. :)






Relevant Pages

  • Re: Connection to a SAMBA Active Directory
    ... Keep in mind that you're trying to setup a NT4 style trust ... if you setup the Exchange as a resource forest model, ... domain and the Exchange server in another domain will work. ... I am able to define a 2 way Realm trust using the Active Directory ...
    (microsoft.public.exchange.connectivity)
  • RE: OWA Not working Page not Found
    ... you reset the Exchange OWA virtual directories on SBS: ... How to reset the default virtual directories that are required to provide ... Outlook Web Access, Exchange ActiveSync, and Outlook Mobile Access services ... your screen until you reach the Setup Type page of the IIS 6.0 Resource Kit ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS2008 HTTP 400 Error
    ... Microsoft Certified Partner ... OWA not working Externally, but works fine internally... ... Exchange 2007 Server ...
    (microsoft.public.exchange.connectivity)
  • Re: Single user unable to access OWA
    ... He was able to access OWA ... The issue may be related to corrupt Exchange attribute, ... Export all mails in Mailbox as .PST file. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.backoffice.smallbiz)
  • SBS2008 HTTP 400 Error
    ... I also have the same error when trying to access my mailbox over the internet. ... OWA not working Externally, but works fine internally... ... Exchange 2007 Server ... Right click the OWA (Default Web Site) VD under the Outlook Web Access, ...
    (microsoft.public.exchange.connectivity)