Brian Steele wrote:
>
> The MS Exchange server is in its own domain, with a one way trust
> relationship set up between the main domain and the Exchange domain. It was
> the most secure solution I could come up with for our LAN.
Hmm, pretty nice point there with the exchange server being in its own
domain and trusting the main domain. That may counter some attacks --
I'll have to make a note of that :-)
Of course, one big problem remains -- users from the main domain
periodically reveal their identities to the exchange box, so if it's
r00ted, and the attacker knows to listen for logons, your're still
pretty much fucked (pardon my french), since the exchange box
by definition has to be allowed to talk to (at least) the domain
controllers of the main domain.
#include <std-rant-about-not-doing-anything-else-on-DCs>
Ah well, every bit of in-depth security counts toward the greater good :-)
/Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
