Ken, OWA is a tough one - but it's not as bad as an IIS server. Primarily, most of IIS is shut off. OWA acts as a HTTP/HTTPS protocol front end to your back end message stores on the Exchange servers.
Microsoft recommends having them on the internal network to alleviate all of the ports that you have to open to satisfy Exchange and the DCs that it must get information from (just to name a few - 3268 - Global Catalog, 389 - LDAP, 445 - CIFS). Effectively, putting the OWA server at your Hard DMZ would turn your firewall into swiss cheese (or, as some like to put it - firelogs). There are just too many vulnerable holes. Front end them in the internal network - and build a proxy in the DMZ to front end them. This will aid in hiding the OWA server(s) and provide added security. Our secure site is comprised of a PIX at the external perimeter, a Nokia appliance box with CP-1 on a stripped BSD kernel. We have also implemented Content Switches (CSS) from Cisco as well as SSL off-loading. The only way to access our OWA is via SSL - from theoff-loader in the DMZ it is HTTP traffic to the OWA front ends, and able to communicate with GC and DC freely from there. It's not that it can't be done, it just takes a lot of work. Find the Exchange Security Operations Guide on the MS site as well. Well worth the read... Hope this helps.... Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of > Garello, Kenneth > Sent: Wednesday, November 06, 2002 1:19 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] IIS behind firewall > > > Rick, > > Thank you very much for your thoughts. > > My task at hand is to provide Outlook Web Access to our > internal mail system. From your discussion, I take it that > there really is no secure way to do this. Are there options > that I am not aware of? > > Ken > > -----Original Message----- > From: Rick Kingslan [mailto:rkingsla@;cox.net] > Sent: Wednesday, November 06, 2002 11:11 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] IIS behind firewall > > Documents of interest: > > http://www.nsa.gov/snac/win2k/index.html (look for the guide > on IIS, but IIS hardening is worthless unless the base OS is > hardened as well) > http://www.microsoft.com/technet/treeview/default.asp?url=/tec > hnet/secur > ity/prodtech/windows/windows2000/staysecure/default.asp (get the > templates!) > http://www.sans.org (their guides are not free, but are quite > worth the > money) > > I'd also look at various places like @Stake, Church of the > Swimming Elephant (COTSE), NTBugTraq for some EXCELLENT > information from folks that do this daily. > > Now, that the documents are cleared up, let's discuss IIS -> > AD authentication across the DMZ. > > First - your IIS servers should be on the outside. At the > very least, they should be in a hard DMZ (behind a bastion or > the first firewall, but in front of a soft DMZ) This is an > untrusted zone. It's considered untrusted because the > Internet data is not 'clean' or secure. Putting things out > here is, in effect, putting systems that must be accessed by > the public in harm's way. There really is no other way. We > need to allow users to access them - but we can't lock them > down as much as we'd like. > > The separation that is intrinsic with trusted and untrusted > (your IIS Server in the hard DMZ is in the Internet zone) > allows for the IIS server to access data in the untrusted > DMZ. In no way should the IIS server in the Internet zone be > allowed to access anything in the trusted zone. What this > means is that it is not really considered a 'safe practice' > to allow IIS (or, any system directly) to authenticate to > internal DCs. This is the reason for RADIUS - the > authentication request comes from a trusted third party > system (at least as far as your network is concerned - the > RADIUS server is still on your network, but the number of > ports open and the compromise risk are both low). > > Microsoft authentication requires a slew of ports to be open. > Steve Riley of Microsoft has a good article: > http://www.microsoft.com/SERVICEPROVIDERS/columns/config_ipsec > _p63623.as > p > on how to do replication and authentication over and across > firewalls, but it is still considered a risky practice. It > is typically not considered a 'good thing' to allow outside > entities or untrusted systems to access trusted systems. In > this case, the IIS server is untrusted because it is designed > for direct access by outside entities that you have no > control over. In many ways, you EXPECT it to be compromised > - hence you cannot trust it. On the other hand, you need to > be able to trust that a DC is not compromised and that it is > who it says it is and that the network is secure. This would > be a trusted system - you trust the data, the authentication, > the server. > > The only way that I would do any type of authentication > across a DMZ is to have a forest or an AD authentication > mechanism (an AD proxy, if you will)in the DMZ (not trusted) > with IPSec channels to a trusted DC or set of DCs that would > actually validate the request. > > Right now, it's a bit messy. But, be looking for a couple of > things from MS and third parties (Aelita, Cisco) to pony up, > too. I know that Cisco has ACS, but I'm not quite as up on > that as I should be to know if it would help in this scenario. > > Hope this helps.... Any questions, please ask! > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of > Garello, Kenneth > Sent: Tuesday, November 05, 2002 9:22 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] IIS behind firewall > > > Can you point to specific documents that you consider > helpful? I'm especially interested in the last sentence > (trusted to untrusted zones and AD). How can I provide IIS > -> AD authentication across the DMZ and feel that I have > followed best security practices for that situation. > > Any info pointers would be appreciated. > > Ken > > -----Original Message----- > From: Rick Kingslan [mailto:rkingsla@;cox.net] > Sent: Tuesday, November 05, 2002 9:28 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] IIS behind firewall > > By implementing one or more firewalls with either a screened > subnet from one firewall or a DMZ implemented between two > firewalls using stateful inspection, packet filtering and > web/server publishing. Anything less is asking for a major > intrusion and compromise. NAT is not even close to 'good > enough' in this type of scenario. > > Also - the IIS server(s) MUST be on the screened subnet or > the DMZ - never on the internal networkif they are going to > be accessed by untrusted systems. It would also be highly > suggested to review Microsoft/SANS/NSA guidelines for secure > operations in this type of environment. All three put out > substantial and important documents detailing the lockdown > procedures for Windows systems and secure communications from > trusted to untrusted zones. Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory Associate Expert Expert Zone > - www.microsoft.com/windowsxp/expertzone > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of Mr Teo > Sent: Tuesday, November 05, 2002 3:26 AM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] IIS behind firewall > Hi all > i am setting up a network under active directory. then my > company is using > class c private adress. however the company also have a nat > whoch hide the > network from the public. so how do i allow for e.g. all my > staffs to host > their IIS by using the firewall? > __________________________________________________ > Do you Yahoo!? > HotJobs - Search new jobs daily now > http://hotjobs.yahoo.com/ > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
