Subdomain security

From: Scott Mulcahy (scottcm-secfocus_at_hotmail.com)
Date: 12/17/04

  • Next message: Ansgar -59cobalt- Wiechers: "Re: services running in windows domain (winXP clients)"
    To: focus-ms@securityfocus.com
    Date: Thu, 16 Dec 2004 23:54:01 +0000
    
    

    >a. Which ports should be opened by the firewall in order for the
    subdomain to function well but be the most secure? Any references?

    Take a look at Windows Server 2003 Security guide. It contains and IPSec
    filter for domain controllers that details the ports and protocols. There's
    also this article
    http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp
    titled "Active Directory Replication over Firewalls". The article discusses
    the options, including how to restrict RPC port ranges so you can avoid
    opening everything > 1024.

    Microsoft's "Threats and Countermeasures" might also have some information.

    >b. Does an admin (a member of the Enterprise Admin group) from the
    root-domain have access to my subdomain? Can I prevent it at all?

    I'm fairly certain that an enterprise admin can get admin privs anywhere in
    the forest.

    _________________________________________________________________
    Donít just search. Find. Check out the new MSN Search!
    http://search.msn.click-url.com/go/onm00200636ave/direct/01/

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Ansgar -59cobalt- Wiechers: "Re: services running in windows domain (winXP clients)"

    Relevant Pages

    • Re: Subdomain security
      ... Here is a small list of the ports that I am talking about - ... I have to install a *secure* windows domain inside an insecure network. ... This means that my domain will be behind a firewall ofcourse. ... My domain would actually be a subdomain inside the insecure ...
      (Focus-Microsoft)
    • Re: Root exploit for FreeBSD
      ... for two ports to my FreeBSD portscluster nodes. ... and it gives the firewall ... US this is also quite common, at least with regards to University ... if your computer is going to connect on our network it must be configured in certain ways and behave "normally" or you won't get a connection. ...
      (freebsd-questions)
    • Re: Root exploit for FreeBSD
      ... for two ports to my FreeBSD portscluster nodes. ... and it gives the firewall ... US this is also quite common, at least with regards to University ... if your computer is going to connect on our network it must be configured in certain ways and behave "normally" or you won't get a connection. ...
      (freebsd-current)
    • Re: Trouble accessing Outlook Web Access from behind firewall
      ... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ...
      (comp.security.firewalls)
    • Re: iptables configuration
      ... >> that if a 'virus/trojan' initiated a connection to the net, the firewall ... >> would not protect the LAN. ... The LAN is NATed with private IPs to one public IP. ... the ports that are used by services running on linux. ...
      (comp.os.linux.security)