Subdomain security

From: Scott Mulcahy (scottcm-secfocus_at_hotmail.com)
Date: 12/17/04

  • Next message: Ansgar -59cobalt- Wiechers: "Re: services running in windows domain (winXP clients)"
    To: focus-ms@securityfocus.com
    Date: Thu, 16 Dec 2004 23:54:01 +0000
    
    

    >a. Which ports should be opened by the firewall in order for the
    subdomain to function well but be the most secure? Any references?

    Take a look at Windows Server 2003 Security guide. It contains and IPSec
    filter for domain controllers that details the ports and protocols. There's
    also this article
    http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp
    titled "Active Directory Replication over Firewalls". The article discusses
    the options, including how to restrict RPC port ranges so you can avoid
    opening everything > 1024.

    Microsoft's "Threats and Countermeasures" might also have some information.

    >b. Does an admin (a member of the Enterprise Admin group) from the
    root-domain have access to my subdomain? Can I prevent it at all?

    I'm fairly certain that an enterprise admin can get admin privs anywhere in
    the forest.

    _________________________________________________________________
    Donít just search. Find. Check out the new MSN Search!
    http://search.msn.click-url.com/go/onm00200636ave/direct/01/

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Ansgar -59cobalt- Wiechers: "Re: services running in windows domain (winXP clients)"