Is it feasible to firewall a Windows NT Primary Domain Controller?
In the course of evaluating the external firewall configuration for a
windows-based WAN, I'm also taking a look at internal network security
policies.
Most disturbing is that each and every node puts it's trust in one
Primary Domain Controller, creating a single point of failure for the
whole WAN. My client contact assures me this is The Way To Do It (tm)
in the windoze (tm) business. Being a Linux guy with a "trust is your
enemy" attitude, I find this hard to swallow.
So what I want to try and do is to add some protection to the PDC by
placing it behind an internal firewall. I've looked all over the net
but I can't find any useful protocol specification I could base a nice
ipchains rule set on, that would leave the PDC function intact whilst
blocking other traffic to the PDC machine.
Three questions:
- does it make sense at all to try and internally firewall a PDC?
- does anybody have any reference to an NT protocol/ports
specification I can base my firewall rules on?
- does anybody have any experience with this situation and some good
advice or some example code to draw on?
An additional question that's off-topic for this list, but maybe
somebody has a useful opinion anyway:
- is it really that hard to break up the trusts into multiple domains
and just log into the appropriate domains from a central workstation?
Thanx.
--
*** Guido A.J. Stevens *** mailto:[EMAIL PROTECTED] ***
*** Net Facilities Group *** tel:+31.43.3618933 ***
*** http://www.nfg.nl *** fax:+31.43.3560502 ***
It is not true that the government has not moved to regulate the
internet. The last few years has seen an extraordinary expansion
of intellectual property rights [...] that is producing an
extraordinary power to own and hence control ideas.
[Lessig, http://cyber.law.harvard.edu/events/lessigkeynote.pdf ]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]