Re: Gurus: server on perimeter vs. corporate advice

From: Marlon Brown (nospamarlon_at_hotmail.com)
Date: 08/16/05 

Date: Tue, 16 Aug 2005 06:23:21 -0700

Thanks ! How about this statement:
But if you put the Sharepoint in the "DMZ", you would need to open various
ports to allow communication from the DMZ to the Internal network (I think
Sharepoint like OWA, does require ports other than 443 or 80 for
communications).
When you "open" such ports for a server that resides in the DMZ, aren't you
also exposing important information from your internal network ?
At least that's the idea that I have heard from some Exchange people. If you
put the OWA box in the "DMZ", they told me, you need to open a bunch of
ports (Kerberos, 3289, etc) to allow communication with the internal
network. At that point, I thought it was when it would make sense keep the
server in the internal network ?
Please advise if you can.

"Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
news:u1oq$eloFHA.3544@TK2MSFTNGP15.phx.gbl...
>
> "Marlon Brown" <nospamarlon@hotmail.com> wrote in message
> news:O8Y5fOhoFHA.3316@tk2msftngp13.phx.gbl...
>> I need to publish a Sharepoint server that is on our "internal" network.
>> I
>> have ISA 2004 configued on the "Perimeter" network.
>> Anyone here can tell me the *real* implications of pusblishing such
>> Sharepoint server that is on the internal network ?
>
>> Anyone here has ever seen statistics or have you tried to hack such
> servers
>> and tell me how relevant would be put such Sharepoint (or another server
>> such as OWA) on the Perimeter instead of keeping it in the internal
> network
>> ? People talk a lot about this, but actually I would like to see in
>> practical terms how more protected will be left the server in the
>> internal
>> network as is.
>
> This isn't about protecting your Sharepoint server, it's about assuming
> that
> your Sharepoint server could be compromised in the future and protecting
> your internal network from an attacker that has remote control of that
> server. IIS web services are a big target of hacking and are hacked all
> the
> freaking time [see www.zone-h.org for specific examples of hacks occuring
> daily], although if you are running Windows Server 2003, IIS is a lot more
> secure. No one is going to force you to put the Sharepoint server into a
> DMZ, but if you make a mistake on your Sharepoint's security
> configuration,
> or fail to patch soon enough, someone is going to discover it and hack
> your
> server.
>
> Another problem is that internal Windows networks are very noisy and
> difficult to impossible to monitor to detect intrusions. Putting your
> server into a DMZ makes it easier to detect when its been hacked.
>
> Putting your sharepoint server into a DMZ should be really easy. If it
> isn't too busy, you can just buy a $600 entry-level firewall device like
> www.netscreen.com or similar, plug it into where your Sharepoint server is
> plugged into, plug the Sharepoint server into the Firewall, and configure
> the firewall. Voila, you have your DMZ. If you really wanted to, you
> could
> configure the Windows 2003 Windows Firewall or use IPsec rules on the
> Sharepoint server for free... although I don't recommend relying just on
> those. The logging is inadequate or nonexistant, and the Windows Firewall
> doesn't monitor or block outbound connections. Also, if either of these
> is
> hacked, you'll probably never know it if you don't have a second firewall
> or
> network device for protection.
>
>
>

Relevant Pages

  • Re: Unable to join AD domain from DMZ network
    ... > the captured traffic between the server in DMZ to the DC from internal ... >> unless you lock it down to a specific port. ... >>> authentication from DMZ to 2003 AD internal network. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Unable to join AD domain from DMZ network
    ... To me that points to something outside the machine (Firewall most likely culprit) ... > the captured traffic between the server in DMZ to the DC from internal ... >>> authentication from DMZ to 2003 AD internal network. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows 2K RRAS VPN on DMZ cant authenticate users
    ... Internal network, it's then controlled via ACL's to allow only that server ... DMZ can see the LAN in certain circumstances, ie doing what I'm doing, ... It's a Remote Access VPN with clients connecting to it using PPTP nothing ...
    (microsoft.public.win2000.networking)
  • Re: Unable to join AD domain from DMZ network
    ... Do you have on the firewall on the server itself? ... the server from the DMZ registered the ... unless you lock it down to a specific port. ... > authentication from DMZ to 2003 AD internal network. ...
    (microsoft.public.windows.server.active_directory)
  • Re: need some documentation
    ... With a reverse proxy you would get it to rewrite any URLs you need. ... > We basically have set up another AD domain for Sharepoint External ... > again and that completely destroys my purpose of having a server in the dmz. ...
    (microsoft.public.sharepoint.portalserver)