Re: Network Security
- From: "Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 22 Nov 2006 10:10:32 -0500
In news:E96624F6-709F-4565-9F47-0E801A5E314E@xxxxxxxxxxxxx,
Peter Haase <PeterHaase@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
Hi,
I'm doing some work for a company that has an MS network where their
firewall is a Cisco 800 device. The company public website sits on a
server that is also a windows 2000 domain controller and the exchange
2000 server for the internal domain. There is a security need to keep
internal patent documents secure (they reside on a file server on the
internal domain not accessible directly by the public).
I know the configuration has security issues and want to address
those, especially as Exchange is going to be upgraded to 2003 and
it's not recommended it be on a DC. The hard part is I need good
reasons for management to accept that change is required. Can someone
point me in the direction of some white papers or articles on
potential issues we could encounter with the current design?
Any help would be greatly appreciated.
Thanks
Peter
OK - so, you probably know all this, and your management doesn't. It's hard
for me to think of official documentation outlining exactly *why* this is an
incredibly stupid thing to do, because, well, it seems a bit obvious - kind
of like asking "How do I keep my apartment from from being robbed, while
still leaving my door unlocked?"
Attacks on port 80 are commonplace, and even with a fully patched Windows
box you're seriously asking for trouble, especially in versions prior to
2003. (I don't even allow Internet access to OWA unless I force SSL on it.)
Exposing your domain controllers, Exchange servers, even regular file/print
servers, to the Internet like this is foolhardy - one hack/exploit, and
you're toast.
A web server should do nothing else - and it should not be on your
company's LAN at all, but on an isolated network. [Heck, maybe it shouldn't
even be a Windows or IIS box.]
If your company doesn't have the infrastructure or budget to properly host
the website themselves even in a DMZ (which seems possible given the
configuration they've got now), they should look into third party webhosting
services, as these have become incredibly affordable. A good hosting company
has racks of servers in a datacenter with redundant Internet connectivity,
power conditioning, monitoring, and so forth....and they can afford to
provide service to a lot of companies at a reasonable price due to volume.
I'd want to ask your management why they think it's a good idea to maintain
the current configuration, and make *them* justify it - especially given
that they've acknowleged that their data is incredibly sensitive.
[Note that Exchange really shouldn't be installed on a DC at all, in *any*
version - although it can work that way. Just never ever ever run dcpromo
on a box already running Exchange, to promote or demote it. ]
.
- Prev by Date: Re: hosts file references to another "master" host file
- Next by Date: Re: Network Security
- Previous by thread: Re: system security alert
- Next by thread: Re: Network Security
- Index(es):
Relevant Pages
|
