Re: Webserver on a DMZ still needed?



If the Exchange server participates with the internal domain, you will
need to make Swiss cheese of your firewall filters.

If you do not have the means to use a FE/BE (front-end / back-end)
scenario, then (via best-practices) the Exchange server should be
hosted within the Internal LAN.

On 9/5/06, Peter Marshall <Peter.Marshall@xxxxxxxx> wrote:
It is still recommended to have your exchange box (and any other outward
accessible services) hosted in a DMZ to prevent access to the internal
segment if they are compromised. If you do put the exchange box in the
DMZ, however, you need to open up a bunch of ports to allow the exchange
box to query the global catalog, perform authentication, etc. which, to
a certain degree, removes the safety added by having it in the DMZ in
the first place. MS recommends using front end/back end exchange
servers coupled with an ISA server to do it by the book but this is
expensive and complicated for a small/mid sized organization. Many
small/mids simply place the exchange server on the inside and only open
up tcp 25 (SMTP) and TCP 443 (HTTPS for OWA) to that box.

In your instance, since the exchange box is also a DC, I would not
recommend putting it into the DMZ. Technically, you should split those
roles for performance and security but again, budget is sometimes more
important than doing everything by the book.


Cheers,

-----Original Message-----
From: Davie Elliott - Eluse [mailto:delliott@xxxxxxxxxxx]
Sent: Sunday, September 03, 2006 7:43 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Webserver on a DMZ still needed?

Hi all,

I have been working as a systems admin for a charity for about 3 years,
I have no schooling in network I have learnt everything myself. During
my research I read that servers with public services should be put on a
separate subnet which is used as a DMZ (such as POP3, SMTP, webserver
ect).

Recently I have left that charity and a network company is taking over
the administration, and they want to put the Exchange (email) server on
the trusted network subnet (the network has a smoothwall firewall, so
there are literally 2 separate networks). My question is this: does the
Exchange server definatly, need to be put in the DMZ? Or should
Microsoft have patched all the vulnerabilities by now? There isn't any
other software on the server, such as forums which I see have
vulnerabilities found just about ever day.

Secondly, if the Exchange server is on the DMZ subnet, how do you get it
to interact securely with the Domain Controller on the secure subnet?
When I built the network, I made the Exchange server its own Domain
Controller.

Thanks for your advice,

Davie Elliott



------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------




--
ME2

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



Relevant Pages

  • Re: OK, Im sold on SBS2003 now
    ... >>> talking about a real DMZ with a different network. ... A web server belongs in the DMZ, not in the LAN. ... > An Exchange server, for a single server, works very nicely in the DMZ ...
    (microsoft.public.windows.server.sbs)
  • RE: [fw-wiz] NTLM authentication from DMZ
    ... The key threat is that someone will hack your IIS box and then sit on it ... gathering valid password pairs for the LAN domain, ... but believe me when I say that once someone has control over the DMZ box ... > place to put a company's Exchange server. ...
    (Firewall-Wizards)
  • Re: More DMZ
    ... Without buying a new exchange server I don't think there is ... you somehow sychronise the DMZ Exchange with another one in the LAN? ... I am about to use the DMZ port on the firewall to add a ... LAN, i.e. not being routed through the DMZ port. ...
    (microsoft.public.windows.server.sbs)
  • Re: [fw-wiz] NTLM authentication from DMZ
    ... Exchange server is part of the normal company domain, ... have one authentication database to deal with. ... Place the exchange server in the DMZ, but that would require a whole ... Place it on the LAN, but that would require opening ports from the ...
    (Firewall-Wizards)
  • Re: Setting TCP/IP Ports for Exchange 2003 and Outlook Client Connections Through a Firewall
    ... DMZ is supposed to have very ... I want one MAPI client ... > Then I opened for the port 135 and now it points to the exchange server, ...
    (microsoft.public.exchange.admin)