Internal AD security
From: youpski (youpski@hotmail.com)
Date: 09/03/02
- Next message: Rafael Hernández: "Re: Lock keyboard"
- Previous message: Ian McCulloch: "Re: Need help on "Taking ownership""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "youpski" <youpski@hotmail.com> Date: Tue, 3 Sep 2002 06:40:31 -0700
Hi,
I read all the articles about AD replication over
firewalls, but can't still understand what the best way
is, to set up an internal secure environment (most
enemies come from within).
Concerning this, I have a few questions:
1. What risks do I have with a 'normal' installation? How
vulnerable is a DC? All clients can access it for obvious
reasons.
2. Can I use the IPsec configuration in the security
policy manager to set a range of port filters on domain
controllers? for example: (for example) allow, 42,
53, 88, 123, 135, 137, 138, 139, 445, 389, 636 and 1024 -
65535. This last range is for dynamic RPC I understand.
This is also the one I need to know how to set, I did not
find a way to set a range as a port filter.
3. The allow will be from local to any, because many
clients need to access the machine?
4. Also, is it wise to use this individual port filtering
on a machine as a security enhancement? We need to secure
communication between domain controllers (there are no
firewalls in the network).
5. Do you need to use IPsec as a whole, and only allow
IPsec to be communicated to and from a domain controller?
Or is this overkill in a local environment?
6. I see a lot (on some dc's as many as 200) of unknown
open dynamic rpc-ports (from 1024 on). Open by 'system',
is this normal behavior?
any help much appreciated.
grtz Y
- Next message: Rafael Hernández: "Re: Lock keyboard"
- Previous message: Ian McCulloch: "Re: Need help on "Taking ownership""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
