Ken, I would suggest that you post to the MS Exchange list for advise on your OWA. There is a lot of very experienced OWA implementors on this list. http://www.sunbelt-software.com/exchange_list_charter.htm
Jim Busick Database Network Analyst MCSE Santee School District Santee, CA 92071 > -----Original Message----- > From: Garello, Kenneth [mailto:KGarello@;worcester.edu] > Sent: Wednesday, November 06, 2002 11:19 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] IIS behind firewall > > > Rick, > > Thank you very much for your thoughts. > > My task at hand is to provide Outlook Web Access to our internal mail > system. From your discussion, I take it that there really is > no secure way > to do this. Are there options that I am not aware of? > > Ken > > -----Original Message----- > From: Rick Kingslan [mailto:rkingsla@;cox.net] > Sent: Wednesday, November 06, 2002 11:11 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] IIS behind firewall > > Documents of interest: > > http://www.nsa.gov/snac/win2k/index.html (look for the guide on IIS, > but IIS hardening is worthless unless the base OS is hardened as well) > http://www.microsoft.com/technet/treeview/default.asp?url=/tec > hnet/secur > ity/prodtech/windows/windows2000/staysecure/default.asp (get the > templates!) > http://www.sans.org (their guides are not free, but are quite > worth the > money) > > I'd also look at various places like @Stake, Church of the Swimming > Elephant (COTSE), NTBugTraq for some EXCELLENT information from folks > that do this daily. > > Now, that the documents are cleared up, let's discuss IIS -> AD > authentication across the DMZ. > > First - your IIS servers should be on the outside. At the very least, > they should be in a hard DMZ (behind a bastion or the first firewall, > but in front of a soft DMZ) This is an untrusted zone. It's > considered > untrusted because the Internet data is not 'clean' or secure. Putting > things out here is, in effect, putting systems that must be > accessed by > the public in harm's way. There really is no other way. We need to > allow users to access them - but we can't lock them down as > much as we'd > like. > > The separation that is intrinsic with trusted and untrusted (your IIS > Server in the hard DMZ is in the Internet zone) allows for the IIS > server to access data in the untrusted DMZ. In no way should the IIS > server in the Internet zone be allowed to access anything in > the trusted > zone. What this means is that it is not really considered a 'safe > practice' to allow IIS (or, any system directly) to authenticate to > internal DCs. This is the reason for RADIUS - the authentication > request comes from a trusted third party system (at least as > far as your > network is concerned - the RADIUS server is still on your network, but > the number of ports open and the compromise risk are both low). > > Microsoft authentication requires a slew of ports to be open. Steve > Riley of Microsoft has a good article: > http://www.microsoft.com/SERVICEPROVIDERS/columns/config_ipsec > _p63623.as > p > on how to do replication and authentication over and across firewalls, > but it is still considered a risky practice. It is typically not > considered a 'good thing' to allow outside entities or > untrusted systems > to access trusted systems. In this case, the IIS server is untrusted > because it is designed for direct access by outside entities that you > have no control over. In many ways, you EXPECT it to be compromised - > hence you cannot trust it. On the other hand, you need to be able to > trust that a DC is not compromised and that it is who it says > it is and > that the network is secure. This would be a trusted system - > you trust > the data, the authentication, the server. > > The only way that I would do any type of authentication > across a DMZ is > to have a forest or an AD authentication mechanism (an AD > proxy, if you > will)in the DMZ (not trusted) with IPSec channels to a > trusted DC or set > of DCs that would actually validate the request. > > Right now, it's a bit messy. But, be looking for a couple of things > from MS and third parties (Aelita, Cisco) to pony up, too. I > know that > Cisco has ACS, but I'm not quite as up on that as I should be > to know if > it would help in this scenario. > > Hope this helps.... Any questions, please ask! > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of Garello, > Kenneth > Sent: Tuesday, November 05, 2002 9:22 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] IIS behind firewall > > > Can you point to specific documents that you consider helpful? I'm > especially interested in the last sentence (trusted to untrusted zones > and AD). How can I provide IIS -> AD authentication across > the DMZ and > feel that I have followed best security practices for that situation. > > Any info pointers would be appreciated. > > Ken > > -----Original Message----- > From: Rick Kingslan [mailto:rkingsla@;cox.net] > Sent: Tuesday, November 05, 2002 9:28 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] IIS behind firewall > > By implementing one or more firewalls with either a screened > subnet from > one firewall or a DMZ implemented between two firewalls using stateful > inspection, packet filtering and web/server publishing. Anything less > is asking for a major intrusion and compromise. NAT is not even close > to 'good enough' in this type of scenario. > > Also - the IIS server(s) MUST be on the screened subnet or the DMZ - > never on the internal networkif they are going to be accessed by > untrusted systems. It would also be highly suggested to review > Microsoft/SANS/NSA guidelines for secure operations in this type of > environment. All three put out substantial and important documents > detailing the lockdown procedures for Windows systems and secure > communications from trusted to untrusted zones. > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of Mr Teo > Sent: Tuesday, November 05, 2002 3:26 AM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] IIS behind firewall > Hi all > i am setting up a network under active directory. then my company is > using > class c private adress. however the company also have a nat whoch hide > the > network from the public. so how do i allow for e.g. all my staffs to > host > their IIS by using the firewall? > __________________________________________________ > Do you Yahoo!? > HotJobs - Search new jobs daily now > http://hotjobs.yahoo.com/ > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
