Ben,
Why is it so dangerous to let the RPC service activated? AFAIK, disabling it
often produce performance problems (our own experience with CP FW-1 on NT
machines)? Does this means that, in this very specific case, no compromise
can be made between security and performance?
-----Original Message-----
From: Ben Nagy [mailto:[EMAIL PROTECTED]]
Sent: lundi 8 mai 2000 01:51
To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
Subject: RE: firewalling a windows PDC
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 5 May 2000 7:28 PM
> To: [EMAIL PROTECTED]
> Subject: firewalling a windows PDC
>
>
> Is it feasible to firewall a Windows NT Primary Domain Controller?
Nope.
>
> In the course of evaluating the external firewall configuration for a
> windows-based WAN, I'm also taking a look at internal network
> security
> policies.
>
> Most disturbing is that each and every node puts it's trust in one
> Primary Domain Controller, creating a single point of failure for the
> whole WAN. My client contact assures me this is The Way To Do It (tm)
> in the windoze (tm) business. Being a Linux guy with a "trust is your
> enemy" attitude, I find this hard to swallow.
Uh, this isn't quite right AFAIK. The PDC is the primary source for the
account database, but the entire database is regularly replicated to all the
BDCs (Backup Domain Controller) which will happily authenticate people
without checking with the PDC all the time. In fact, it's normal for the
BDCs to bear almost all the login / auth load. This means that if the PDC is
down the network keeps running.
If you're talking about failure as in single point of _compromise_ then
that's a bit different. If someone can elevate privelege for a user account
on the PDC then it will happily replicate out, yes.
(I can't resist - if you're so big on trust why are you using Linux? Why not
use a _secure_ OS? ;)
>
> So what I want to try and do is to add some protection to the PDC by
> placing it behind an internal firewall. I've looked all over the net
> but I can't find any useful protocol specification I could
> base a nice
> ipchains rule set on, that would leave the PDC function intact whilst
> blocking other traffic to the PDC machine.
Uh...good. Except for the fact that SMB traffic (required if you want to use
it as a PDC) and RPC traffic (also required) are the two single most
dangerous ports one can leave open on a windows box (except port 80 with
IIS).
>
> Three questions:
> - does it make sense at all to try and internally firewall a PDC?
No.
> - does anybody have any reference to an NT protocol/ports
> specification I can base my firewall rules on?
135 tcp, 137,8,9 udp and 137 tcp, from memory.
> - does anybody have any experience with this situation and some good
> advice or some example code to draw on?
Forget about the multiple domain and trust thing - if you don't trust any of
the domains enough to run a single master then what's the point of
"trusting" them in your network model? Unless you need to run multiple
domains for geographic reasons then steer WAY clear of them. This will also
make it much easier for your clients when they migrate away from NT domains
to Active Directory (or something similar). You'll find life a lot easier if
you just run a single master domain and sort out all the permissions based
on global groups.
If you're worried about users "getting root" then you can use the NT audit
tools which are built in as well as some stuff that I think NTObjectives
wrote (someone correct me if I've misremembered) to do regular audits and
consistency checks. You can run perl on NT now and also run perl scripts as
services so you've no excuse for not having good enough tools. ;)
>
> An additional question that's off-topic for this list, but maybe
> somebody has a useful opinion anyway:
> - is it really that hard to break up the trusts into multiple domains
> and just log into the appropriate domains from a central workstation?
No. However, it requires at least one dedicated domain controller per
domain, using trusts will probably subvert all the security of your model,
there's no easy way to work in multiple user contexts in NT (until win2k) so
you can only use resources from one domain at a time and having five
unlinked rings of equal strength is the same order of security as having a
five-link chain.
>
> Thanx.
> --
> *** Guido A.J. Stevens *** mailto:[EMAIL PROTECTED] ***
> *** Net Facilities Group *** tel:+31.43.3618933 ***
> *** http://www.nfg.nl *** fax:+31.43.3560502 ***
>
> It is not true that the government has not moved to regulate the
> internet. The last few years has seen an extraordinary expansion
> of intellectual property rights [...] that is producing an
> extraordinary power to own and hence control ideas.
> [Lessig, http://cyber.law.harvard.edu/events/lessigkeynote.pdf ]
> -
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
************************************************************************
The information in this email is confidential and is intended solely
for the addressee(s).
Access to this email by anyone else is unauthorised. If you are not
an intended recipient, you must not read, use or disseminate the
information contained in the email.
Any views expressed in this message are those of the individual sender,
except where the sender specifically states them to be the views of
The Capital Markets Company.
http://www.capco.com
***********************************************************************
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
