Re: unable to join domain from DMZ

• Previous message: Mike: "Re: How to do rDNS. WAS: RE: educating rDNS violators"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 26 Aug 2004 09:35:46 -0400
To: security-basics@securityfocus.com

Erich D. Heintz wrote:

>>>>I think the point of using an LMHOSTS file in this case over WINS is th=
>>
>>
at

>>>>the system at issue is in a DMZ.
>>>>
>>>>There's been nothing stated as to whether or not WINS exists in the LAN=
>>
>>

>>>>segment and it's really not relevant unless you plan to open conduits t=
>>
>>
o

>>>>allow WINS to work between the DMZ and the LAN.
>>>>
>>>>An LMHOSTS entry is the best option here, IMHO, since it provides the
>>>>minimum amount of information needed by the DMZ system to be functional=
>>
>>
=2E

>>>>Putting a WINS server in the DMZ or allowing WINS traffic to traverse
>>>>between the LAN and the DMZ simply makes more information about the LAN=
>>
>>

>>>>available to the DMZ than is needed.
>>>>
>>>> =20
>>>>
>>
>>
>> =20
>>
>
>
<snip to end>

At this point, we really don't have enough information to determine wheth=
er LMHOSTS *is* the way to go (as you noted, no information has been give=
n regarding the status of WINS on the LAN,although it would be highly unl=
ikely that an NT 4.0 domain of any size would function reasonably withou=
t it). At first glance, it appears that a LMHOSTS file may be the best wa=
y, however, there are a number of other factors that could affect the app=
ropriateness of such a decision. How many internal hosts reauire communic=
ation with this server? What do they do(e.g. monitoring hosts, SUS or SMS=
 servers, etc.)? Are there any plans afoot that may alter the IP addresse=
s of a significant number of those hosts? How many domains does the serve=
r need to communicate with? Are there any functions resident on this host=
 that require the ability to validate against more than it's parent domai=
n (Hopefully not, but it is possible)?

*Assuming* only domain validation is required and further assuming that t=
here are only a limited number of domain controllers with which the DMZ h=
ost needs to communicate, then LMHOSTS is likely the proper solution. Oth=
erwise, the benefits of limited communication may outweigh the costs (e.g=
=2E extra monitoring hosts, additional administrative time requirements, =
etc.) of either installing WINS or opening the firewall to WINS traffic. =
Maintaining LMHOSTS in a large, fluid environment can be cumbersome and e=
asily lead to easily mis-diagnosed communication problems(it's easy to fo=
rget that a given host uses LMHOSTS rather than WINS and look elsewhere f=
or the source) if (more often *when*) a required host moves between segme=
nts and requires a new IP address.
Based on what has been posted, only the original poster has enough inform=
ation to adequately analyze the options available.

At this point I wouldn't be comfortable recommending either WINS or LMHOS=
TS as the *right* solution. I will offer a link that may be helpful. In t=
he event the original poster decides to go with LMHOSTS, here is a link t=
o Microsoft's KB article for creating an LMHOSTS file for Domain Validati=
on:

http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;180094

Charlie

---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------

• Previous message: Mike: "Re: How to do rDNS. WAS: RE: educating rDNS violators"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]