Re: Webserver on a DMZ still needed?

From: MaddHatter <maddhatt+securitybasics@xxxxxxxxxxx>
Date: Wed, 6 Sep 2006 00:00:24 -0700

Davie Elliott - Eluse <delliott@xxxxxxxxxxx> said (on 2006/09/03):

...
built the network, I made the Exchange server its own Domain Controller.

I'm not an expert in Exchange, but VPNs can do wonders for making
"internal" applications accessible to the world in a reasonably secure way.

From a security standpoint, I would argue strongly against domain

controllers being available to public network traffic (and attack). Not
to disregard the internal threat -- which is just as serious -- but the
DC is literally the keys to your kingdom. A compromise of the DC would
(theoretically) give the attacker the ability to recover ALL user
passwords and computer passwords in that domain. In my experience,
forcing all users to change their password and resetting all the computer
accounts because of an Exchange server compromise wouldn't be practical
or acceptable. (Exchange isn't special -- the same consideration would
be given to any application.)

Kerberos requires all possible effort be made to secure a single entity
(the DC in Windows) so that less trust is required in other entities
(user and computer accounts). Less trust means less risk, which means less
effort is necessary to secure those non-DC entities. I guess one could
say risk is concentrated at a single point instead of being distributed.
And you probably don't want that single point of high risk being on the
"external" network.

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

References:
- Webserver on a DMZ still needed?
  - From: Davie Elliott - Eluse

Prev by Date: RE: newbie question
Next by Date: Question on Tsgrinder and Hydra
Previous by thread: Re: Webserver on a DMZ still needed?
Next by thread: RE: Webserver on a DMZ still needed?
Index(es):
- Date
- Thread

Relevant Pages

Domain controller cannot browse network
... After I had done this my domain controller lost it's ability to browse the ... might not have permission to use this network resource. ... I have since been unable to open any mailboxes on my Exchange server - they ... changed the GC to the new DC and the recipient update services - made no ...
(microsoft.public.windows.server.networking)
Re: Front End/Back End communication
... Taking all of Devin's ideas into consideration, one can also use ISA Server ... utilizing a perimeter network relationship on the "internal" facing ISA ... This topology extends the protected network "out," allowing you to ... the benefits of the FE Exchange Server in the DMZ are ...
(Focus-Microsoft)
Re: RPC over HTTPS woes
... I have gone over just about every article in my attempt to set up RPC ... on the on the exchange server: ... directory tab> application name rpc> execute permissions: ... Outside the the network, i receive the logon but never connects, ...
(microsoft.public.exchange.admin)
Re: Activesync OTA OK but USB fails - partnership issues?
... Have you tried Activesync 4.2 (I've heard some flakiness with 4.5 ... Have you downloaded the White paper on using WM5 in an SBS network? ... I want to be able to use the existing Exchange Server settings ...
(microsoft.public.windows.server.sbs)
Re: Same two Domain Names in the same network
... the exchange server which handles the email part of your domain for the users ... PresentlyDomain name, network name, name of domain controller and name ...
(microsoft.public.win2000.dns)