IIS 5.0 IN A DOMAIN?
From: lufkas (lufkas_at_hotmail.com)Date: 07/18/01
- Vorherige Nachricht: o1o: "RE: NT "net use" Malfunctions"
- Next in thread: Anup Singh: "RE: IIS 5.0 IN A DOMAIN?"
- Reply: Anup Singh: "RE: IIS 5.0 IN A DOMAIN?"
- Reply: Pidgorny, Slav: "RE: IIS 5.0 IN A DOMAIN?"
- Nachrichten sortiert nach: [ Datum ] [ Thread ] [ Subject ] [ Autor ] [ Attachement ]
> Hello all,
>
> I am contacting this list, because of the focus on security more than
> anything else, and that is my priority.
>
> I enclose a simple gif image that I think may be the best way of achieving
> my clients goal, but I wanted to sound it off you guys first. I want to
> achieve this goal in the *most secure manner possible*.
> I know that this situation is not ideal from a security perspective, but
the
> client is willing to make the sacrifice of some security in order for
> convenience and functionality. For any or each proposed solution, can
anyone
> with good background knowledge of this make a comment on the best way to
do
> this securely and if the methodology is sound.
>
> Here are the client goals:
>
> 1> Have two or more IIS and MS-SQL boxes that can all authenticate user
> logons to a web application via the same accounts database. The database
of
> users should be interoperable with another Win2K domain.
>
> PROPOSAL:
> HAVE THE IIS AND SQL BOXES JOIN A SPECIAL DOMAIN DESIGNED JUST FOR THESE
> MACHINES (WIN2KDOMAIN2).
>
> QUESTIONS:
> A> IS THIS THE BEST WAY TO DO THIS?
> B> WHAT IS THE MINIMUM PORT OPENINGS BETWEEN THE IIS AND SQL BOXESTO THE
> WIN2KDOMAIN2 DOMAIN CONTROLLER(S) NEEDED TO SUPPORT THIS?
> C> IS THERE A METHOD OF PREVENTING A LIST OF ACCOUNTS BEING BROUGHT UP ON
> THESE DOMAIN MEMBERS SHOULD THE BOX EVER BE COMPROMISED? CAN THIS BE DONE
BY
> USING SPECIALIZED ACTIVE DIRECTORY ORGANIZATIONAL UNITS?
> D> CAN ANYONE RECOMMEND A HOST BASED FIREWALL / IDS SYSTEM FOR THE DOMAIN
> CONTROLLERS AND SQL BOXES THAT WOULD SLOW DOWN AN ATTACKER THAT HAD
> COMPROMISED ONE OF THE IIS BOXES, AND ALSO NOTIFY ADMINS OF A POTENTIAL
> PROBLEM.
>
> 2> The client has an INTERNAL Win2K ADS domain already set up, and they
want
> their internal users to be able to authenticate on the IIS machines
(IISbox1
> and IISbox2) that are members of this other domain. The client wants this
> relationship to allow purely for authentication (nothing fancy). They do n
ot
> want a member of WIN2KDOMAIN2 to be able to bring up an accounts list for
> WIN2KDOMAIN1, and want as little information about the internal domain to
be
> enumerated as possible from WIN2KDOMAIN2.
>
> PROPOSAL:
> CONFIGURE A TWO WAY KERBEROS TRUST BETWEEN THE DOMAINS. POKE A HOLE IN THE
> FIREWALL ON TCP AND UDP PORTS 88 TO ALL FOR KERBEROS TRAFFIC FLOWING TO
> WIN2KDOMAIN1.
>
> QUESTIONS:
> A> ARE THESE PORT OPENINGS ENOUGH TO SUPPORT THIS TRUST RELATIONSHIP?
> B> IS IT POSSIBLE TO CUT OFF ACCOUNT ENUMERATION AND OTHER INTERNAL DOMAIN
> INFORMATION IN ANY WAY?
> C> AGAIN, CAN ANYONE SUGGEST A BETTER METHOD FOR ACHIEVING THIS WITHIN A
> NATIVE WIN2K ENVIRONMENT?
>
>
> Thanks so much for your time!
>
> Regards
>
> Lufkas
>
- Vorherige Nachricht: o1o: "RE: NT "net use" Malfunctions"
- Next in thread: Anup Singh: "RE: IIS 5.0 IN A DOMAIN?"
- Reply: Anup Singh: "RE: IIS 5.0 IN A DOMAIN?"
- Reply: Pidgorny, Slav: "RE: IIS 5.0 IN A DOMAIN?"
- Nachrichten sortiert nach: [ Datum ] [ Thread ] [ Subject ] [ Autor ] [ Attachement ]
Relevant Pages
|
