RE: Use of L2TP in isolated W2K3 AD

afreyman_at_dsw.net
Date: 06/08/04

  • Next message: James D. Stallard: "Doubleclick programs entry on start menu"
    To: puchta@cslab.felk.cvut.cz, focus-ms@securityfocus.com
    Date: Tue, 8 Jun 2004 14:43:40 -0700 
    
    

    Are you saying that all your computers have public IP addresses and most of
    them are accessible from the internet?

    If so, this is bad, but assuming that you can do nothing about it, try to at
    least get a hardware firewall in front of your DCs. You can filter IP
    ranges, but that doesn't necessarily protect you from IP spoofing, or
    someone exploiting a vulnerable client.

    L2TP is an option, but firstly I'd suggest that your harden your servers as
    much as possible, also consider using Kerberos on the network, which may
    give you an additional layer of security. Try running some IDS/IDP software
    on the DCs, or a least something resembling a personal
    firewall.....ZoneAlarm and BlackICE come to mind. Auditing is a must as
    well.

    Since you mentioned L2TP, that means you're probably going to run VPN on one
    of the Windows boxes. Maybe you can isolate that box in the DMZ and put
    everything else in a private LAN? Also, what services are the clients
    accessing on the servers? Just file and print?

    -----Original Message-----
    From: Milos Puchta [mailto:puchta@cslab.felk.cvut.cz]
    Sent: Monday, June 07, 2004 11:47 PM
    To: focus-ms@securityfocus.com
    Subject: Use of L2TP in isolated W2K3 AD

    1.
    Imagine a large network that is more or less opened to the Internet.
    I mean that there is packet filtering for some ports, one subnet
    is blocked from the access from the Internet but due to the routing
    between subnets all subnets are opened....

    2.
     I can do nothing as to the changes in the structure of LAN :-(((
     except asking for blocking direct access to the selected computers.
     (No private LAN for private range of ip, no blocking routing,... :-(( ...)

    3.
    There are various services and operating system on the LAN,
    including Windows, FreeBSD, Novell, SUN,VMS etc

    4.
    I "develop" and maintain Active Directory (Windows 2003 Server and Windows
    XP Professional) in this structure. Windows XP clients should reach
    data on various system (data and licenses on license servers).

    Because of security problems I consider the isolation of domain controllers
    behind
    internal ISA firewall and Windows clients would use L2TP protocol, as if
    they were
    accessing domain controllers and file servers from the Internet.
    Is this solution in my case?

    Thanks for your opinion and qualified guess.

    Regards,
    Milos

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: James D. Stallard: "Doubleclick programs entry on start menu"

    Relevant Pages

    • RE: IIS6 Security and other web servers
      ... IIS6 Security and other web servers ... I know of no Windows architecture that is exposed directly to ... I know of a number of LAMP-type servers that are ... exposed directly to the Internet with no intervening layers. ...
      (Security-Basics)
    • Re: Coming Online. Help?
      ... > I will be my own DNS but am allowed zones on the host DNS ... I believe you also want to have at least four DNS servers: ... for your internal windows domain and two for external hosting. ... separate them [you don't really want people on the internet being able to ...
      (microsoft.public.inetserver.iis.security)
    • Re: U.S. federal income tax program
      ... > confidential data just lying around on publicly accessible servers, ... I'd rather use Windows than give out my social security ... number over the internet. ... trust sys-admins I've never met to keep internet servers secure. ...
      (Debian-User)
    • Re: Outlook 2003 cant send/receive
      ... I am also leaving my Windows CE PDA ... Outlook not being to access any of the account's servers ... >> servers outside the cable internet service provider's server. ...
      (microsoft.public.outlook)
    • I think I have been hijacked.
      ... I am running windows xp on my Compaq Presario and Toshiba laptop, ... An internet connection appears to have been added through a USB. ... R - Registry, StartPage/SearchPage changes ... Fixed crashing bug on certain Win2000 and WinXP systems at O23 listing ...
      (microsoft.public.windowsxp.security_admin)