Sorry Ken, I was making a subtle attempt at being humorous and it fell short... FWIW, I'm in your camp.
I didn't pass my CISSP exam because I was closed minded... ;) On Thu, Jan 6, 2011 at 7:28 PM, Ken Schaefer <[email protected]> wrote: > You honestly think that security isn’t about risks and mitigation? And > that there is always a “best” way to do something security wise? > > > > If not, then I don’t think so… > > > > *From:* Don Ely [mailto:[email protected]] > *Sent:* Friday, 7 January 2011 1:52 PM > > *To:* NT System Admin Issues > *Subject:* Re: AD and firewall ports > > > > Is this where we say "iPhone Thread!"? > > On Thu, Jan 6, 2011 at 6:11 PM, Ken Schaefer <[email protected]> wrote: > > Hi, > > Then you should turn of all your computers, encase them in concrete, and > launch them into outer space - and into the Sun. That is the best way of > stopping anyone compromising one of your machines. > > Quickly now. > > Having a non-domain joined SQL Server in your DMZ is far less secure than > that. > > Hint: go and read some books on security first. *All* security is risk > mitigation. For example: that's why we still have passwords that are only > "x" characters long, rather than "x + 1" (where x is any number less than > infinity). > > Everything in security is about: > a) analysing what risks you face, > b) working out what the likelihood of it eventuating > c) working out the cost of the likelihood eventuating > d) working out the cost of making the risk go away > e) working out whether it's cost effective to implement (d) given (a)(b)(c) > > That is why a national government has a far more secure, cumbersome network > than your average business. Because the risks are different. That why we > don't all blithely implement the same way of doing things. Because doing > things *costs* money (whether that be products, convenience, productivity > etc) > > > Cheers > Ken > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > > Sent: Friday, 7 January 2011 1:04 PM > To: NT System Admin Issues > > Subject: Re: AD and firewall ports > > I disagree strongly that there are no hard and fast rules, and that risk > mitigation is king. If you value your network and data, you protect them in > the best way you know how. Heading down the risk mitigation road when you > know there are better ways is like taking out a sizable life insurance > policy then hopping on your unicycle and going to the market juggling > nitroglycerin - you're covered, I suppose, as long all you care about is the > money your beneficiaries get, and bystanders be damned. > > Kurt > > On Thu, Jan 6, 2011 at 17:42, Ken Schaefer <[email protected]> wrote: > > I take back the "you don't know what you're talking about bit" - that was > harsher than I intended. It was a bit of a gut-reaction to "fire the admin" > > > > -----Original Message----- > > From: Ken Schaefer [mailto:[email protected]] > > Sent: Friday, 7 January 2011 12:32 PM > > To: NT System Admin Issues > > Subject: RE: AD and firewall ports > > > > As with anything in security - there are no hard and fast rules - > everything is just risk mitigation. > > > > Lots of people put member servers in the DMZ. Lots of people have two (or > more DMZs). An internal DMZ could be for devices (like proxy servers, DNS > servers) that cater only for outbound communications. External DMZ handles > incoming requests. > > Other people create a separate Forest for their DMZ - and their servers > are members of that Forest. > > Etc. > > > > Frankly, it sounds like you don't know what you're talking about. > > > > Cheers > > Ken > > > > -----Original Message----- > > From: Kurt Buff [mailto:[email protected]] > > Sent: Friday, 7 January 2011 11:56 AM > > To: NT System Admin Issues > > Subject: Re: AD and firewall ports > > > > Get a new admin. > > > > Putting an AD member server in a DMZ is stupid. > > > > You will have broken the security model for your production environment > by doing this. > > > > Kurt > > > > On Wed, Jan 5, 2011 at 16:53, joseph palmieri <[email protected]> > wrote: > >> > >> Need assistance with firewall ports and active directory our server > admin submitted a change request to open over 1000 port to support AD. The > change was denied and resubmitted requesting a minimum of 100 ports to > support RPC communications to a member server within our DMZ. Our firewall > engineers stated while monitoring the firewall only 20 ports were > communicated over and 100 ports are not needed. > >> > >> > >> > >> Has anyone had experience with this issue and can provide some > clarity…are the server admin looking for an easy way out by requesting all > these ports? > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < > http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
