*>>If it's a DMZ, that means that the machines in it are untrusted - that's why it's called a DMZ, *
Um, no. It just means that it is less trusted than some other system OR will have more external access than some other system. As Ken says, it's all about risk mitigation and containment. *>> If you don't trust the machine, you don't make it a member of your domain/forest. Full Stop.* Everything is not just about the trust of the MACHINE. *>>I disagree strongly that there are no hard and fast rules, and that risk mitigation is king. If you value your network and data, you protect them in the best way you know how. * Sure, except that "best way" is not going to be the same for any two networks -- even if you're the same person managing them. I've worked at a number of different places, and they have different levels of risk tolerance, different corporate objectives, different data types, etc. A one-size-fits-all solution will utterly fail to provide any value for the business. At the end of the day, each person or entity determines what level of risk they believe they can afford, and risks outside of that are dealt with in some manner -- some are eliminated, but many others are merely mitigated or minimized. *ASB *(My Bio via About.Me <http://about.me/Andrew.S.Baker/bio>) *Exploiting Technology for Business Advantage...* * * On Thu, Jan 6, 2011 at 9:04 PM, Kurt Buff <[email protected]> wrote: > I appreciate your retraction, so I'll retract a bit myself and say > that the admin needs a bout of training at the minimum, but I stand by > my analysis that putting a member server in a DMZ then making a sieve > of the firewall is a stupid thing to do. > > If it's a DMZ, that means that the machines in it are untrusted - > that's why it's called a DMZ, and know you know this, probably even > better than I do. If you don't trust the machine, you don't make it a > member of your domain/forest. Full Stop. > > I will admit that I haven't heard of all of the various scenarios in > the world (or most, or even a lot of them), I have yet to hear of one > that couldn't be better handled than putting a member server in the > DMZ. > > We have web and SQL server machines in an Internet-facing DMZ, and > they are definitely not members of the domain/forest. To get the data > we want from them, we reach into the DMZ periodically and fetch it. > Something like this can be arranged for anything I've heard of. > > I disagree strongly that there are no hard and fast rules, and that > risk mitigation is king. If you value your network and data, you > protect them in the best way you know how. Heading down the risk > mitigation road when you know there are better ways is like taking out > a sizable life insurance policy then hopping on your unicycle and > going to the market juggling nitroglycerin - you're covered, I > suppose, as long all you care about is the money your beneficiaries > get, and bystanders be damned. > > Kurt > > On Thu, Jan 6, 2011 at 17:42, Ken Schaefer <[email protected]> wrote: > > I take back the "you don't know what you're talking about bit" - that was > harsher than I intended. It was a bit of a gut-reaction to "fire the admin" > > > > -----Original Message----- > > From: Ken Schaefer [mailto:[email protected]] > > Sent: Friday, 7 January 2011 12:32 PM > > To: NT System Admin Issues > > Subject: RE: AD and firewall ports > > > > As with anything in security - there are no hard and fast rules - > everything is just risk mitigation. > > > > Lots of people put member servers in the DMZ. Lots of people have two (or > more DMZs). An internal DMZ could be for devices (like proxy servers, DNS > servers) that cater only for outbound communications. External DMZ handles > incoming requests. > > Other people create a separate Forest for their DMZ - and their servers > are members of that Forest. > > Etc. > > > > Frankly, it sounds like you don't know what you're talking about. > > > > Cheers > > Ken > > > > -----Original Message----- > > From: Kurt Buff [mailto:[email protected]] > > Sent: Friday, 7 January 2011 11:56 AM > > To: NT System Admin Issues > > Subject: Re: AD and firewall ports > > > > Get a new admin. > > > > Putting an AD member server in a DMZ is stupid. > > > > You will have broken the security model for your production environment > by doing this. > > > > Kurt > > > > On Wed, Jan 5, 2011 at 16:53, joseph palmieri <[email protected]> > wrote: > >> > >> Need assistance with firewall ports and active directory our server > admin submitted a change request to open over 1000 port to support AD. The > change was denied and resubmitted requesting a minimum of 100 ports to > support RPC communications to a member server within our DMZ. Our firewall > engineers stated while monitoring the firewall only 20 ports were > communicated over and 100 ports are not needed. > >> > >> > >> > >> Has anyone had experience with this issue and can provide some > clarity…are the server admin looking for an easy way out by requesting all > these ports? > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < > http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
