I appreciate your retraction, so I'll retract a bit myself and say that the admin needs a bout of training at the minimum, but I stand by my analysis that putting a member server in a DMZ then making a sieve of the firewall is a stupid thing to do.
If it's a DMZ, that means that the machines in it are untrusted - that's why it's called a DMZ, and know you know this, probably even better than I do. If you don't trust the machine, you don't make it a member of your domain/forest. Full Stop. I will admit that I haven't heard of all of the various scenarios in the world (or most, or even a lot of them), I have yet to hear of one that couldn't be better handled than putting a member server in the DMZ. We have web and SQL server machines in an Internet-facing DMZ, and they are definitely not members of the domain/forest. To get the data we want from them, we reach into the DMZ periodically and fetch it. Something like this can be arranged for anything I've heard of. I disagree strongly that there are no hard and fast rules, and that risk mitigation is king. If you value your network and data, you protect them in the best way you know how. Heading down the risk mitigation road when you know there are better ways is like taking out a sizable life insurance policy then hopping on your unicycle and going to the market juggling nitroglycerin - you're covered, I suppose, as long all you care about is the money your beneficiaries get, and bystanders be damned. Kurt On Thu, Jan 6, 2011 at 17:42, Ken Schaefer <[email protected]> wrote: > I take back the "you don't know what you're talking about bit" - that was > harsher than I intended. It was a bit of a gut-reaction to "fire the admin" > > -----Original Message----- > From: Ken Schaefer [mailto:[email protected]] > Sent: Friday, 7 January 2011 12:32 PM > To: NT System Admin Issues > Subject: RE: AD and firewall ports > > As with anything in security - there are no hard and fast rules - everything > is just risk mitigation. > > Lots of people put member servers in the DMZ. Lots of people have two (or > more DMZs). An internal DMZ could be for devices (like proxy servers, DNS > servers) that cater only for outbound communications. External DMZ handles > incoming requests. > Other people create a separate Forest for their DMZ - and their servers are > members of that Forest. > Etc. > > Frankly, it sounds like you don't know what you're talking about. > > Cheers > Ken > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > Sent: Friday, 7 January 2011 11:56 AM > To: NT System Admin Issues > Subject: Re: AD and firewall ports > > Get a new admin. > > Putting an AD member server in a DMZ is stupid. > > You will have broken the security model for your production environment by > doing this. > > Kurt > > On Wed, Jan 5, 2011 at 16:53, joseph palmieri <[email protected]> wrote: >> >> Need assistance with firewall ports and active directory our server admin >> submitted a change request to open over 1000 port to support AD. The change >> was denied and resubmitted requesting a minimum of 100 ports to support RPC >> communications to a member server within our DMZ. Our firewall engineers >> stated while monitoring the firewall only 20 ports were communicated over >> and 100 ports are not needed. >> >> >> >> Has anyone had experience with this issue and can provide some clarity…are >> the server admin looking for an easy way out by requesting all these ports? > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
