Security Basics mailing list archives
Re: Question about DMZ Domain Member and Virus Membership
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Mon, 20 Mar 2006 21:10:52 +0100
On 2006-03-19 Adam T wrote:
I would like to know what is the best practice method to configure Windows Servers in the DMZ. Should they be a part of the domain and therefore open ports to allow authentication?
Most definitely not. Allowing connections from DMZ to LAN is a very bad thing and should only be done if you know EXACTLY what you're doing.
Or should they be kept as standalone servers?
Maybe it's possible to replicate the relevant portion of the authenti- cation data from the DC to the DMZ servers. If not, it is better to leave them as standalone servers.
I also have my virus scanners on these machines but they are not in contact with the Primary Virus Server should I allow these ports through the firewall?
No. Push the definition files from your primary server to a server in the DMZ and have the virus scanners update their definitions from this server. If you need the logs: pull/query them from the LAN. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Question about DMZ Domain Member and Virus Membership Adam T (Mar 20)
- Re: Question about DMZ Domain Member and Virus Membership Ansgar -59cobalt- Wiechers (Mar 20)
- <Possible follow-ups>
- RE: Question about DMZ Domain Member and Virus Membership Dan Bogda (Mar 21)
- Re: Question about DMZ Domain Member and Virus Membership Adam T (Mar 22)
- Re: Question about DMZ Domain Member and Virus Membership Ansgar -59cobalt- Wiechers (Mar 22)
- Re: Question about DMZ Domain Member and Virus Membership Adam T (Mar 22)
- RE: Question about DMZ Domain Member and Virus Membership Dan Bogda (Mar 24)