You honestly think that security isn't about risks and mitigation? And that there is always a "best" way to do something security wise?
If not, then I don't think so... From: Don Ely [mailto:[email protected]] Sent: Friday, 7 January 2011 1:52 PM To: NT System Admin Issues Subject: Re: AD and firewall ports Is this where we say "iPhone Thread!"? On Thu, Jan 6, 2011 at 6:11 PM, Ken Schaefer <[email protected]<mailto:[email protected]>> wrote: Hi, Then you should turn of all your computers, encase them in concrete, and launch them into outer space - and into the Sun. That is the best way of stopping anyone compromising one of your machines. Quickly now. Having a non-domain joined SQL Server in your DMZ is far less secure than that. Hint: go and read some books on security first. *All* security is risk mitigation. For example: that's why we still have passwords that are only "x" characters long, rather than "x + 1" (where x is any number less than infinity). Everything in security is about: a) analysing what risks you face, b) working out what the likelihood of it eventuating c) working out the cost of the likelihood eventuating d) working out the cost of making the risk go away e) working out whether it's cost effective to implement (d) given (a)(b)(c) That is why a national government has a far more secure, cumbersome network than your average business. Because the risks are different. That why we don't all blithely implement the same way of doing things. Because doing things *costs* money (whether that be products, convenience, productivity etc) Cheers Ken -----Original Message----- From: Kurt Buff [mailto:[email protected]<mailto:[email protected]>] Sent: Friday, 7 January 2011 1:04 PM To: NT System Admin Issues Subject: Re: AD and firewall ports I disagree strongly that there are no hard and fast rules, and that risk mitigation is king. If you value your network and data, you protect them in the best way you know how. Heading down the risk mitigation road when you know there are better ways is like taking out a sizable life insurance policy then hopping on your unicycle and going to the market juggling nitroglycerin - you're covered, I suppose, as long all you care about is the money your beneficiaries get, and bystanders be damned. Kurt On Thu, Jan 6, 2011 at 17:42, Ken Schaefer <[email protected]<mailto:[email protected]>> wrote: > I take back the "you don't know what you're talking about bit" - that was > harsher than I intended. It was a bit of a gut-reaction to "fire the admin" > > -----Original Message----- > From: Ken Schaefer > [mailto:[email protected]<mailto:[email protected]>] > Sent: Friday, 7 January 2011 12:32 PM > To: NT System Admin Issues > Subject: RE: AD and firewall ports > > As with anything in security - there are no hard and fast rules - everything > is just risk mitigation. > > Lots of people put member servers in the DMZ. Lots of people have two (or > more DMZs). An internal DMZ could be for devices (like proxy servers, DNS > servers) that cater only for outbound communications. External DMZ handles > incoming requests. > Other people create a separate Forest for their DMZ - and their servers are > members of that Forest. > Etc. > > Frankly, it sounds like you don't know what you're talking about. > > Cheers > Ken > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]<mailto:[email protected]>] > Sent: Friday, 7 January 2011 11:56 AM > To: NT System Admin Issues > Subject: Re: AD and firewall ports > > Get a new admin. > > Putting an AD member server in a DMZ is stupid. > > You will have broken the security model for your production environment by > doing this. > > Kurt > > On Wed, Jan 5, 2011 at 16:53, joseph palmieri > <[email protected]<mailto:[email protected]>> wrote: >> >> Need assistance with firewall ports and active directory our server admin >> submitted a change request to open over 1000 port to support AD. The change >> was denied and resubmitted requesting a minimum of 100 ports to support RPC >> communications to a member server within our DMZ. Our firewall engineers >> stated while monitoring the firewall only 20 ports were communicated over >> and 100 ports are not needed. >> >> >> >> Has anyone had experience with this issue and can provide some clarity...are >> the server admin looking for an easy way out by requesting all these ports? > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > [email protected]<mailto:[email protected]> > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > [email protected]<mailto:[email protected]> > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
