Security Basics mailing list archives
Re: Webserver on a DMZ still needed?
From: MaddHatter <maddhatt+securitybasics () cat pdx edu>
Date: Wed, 6 Sep 2006 00:00:24 -0700
Davie Elliott - Eluse <delliott () eluse co uk> said (on 2006/09/03):
... built the network, I made the Exchange server its own Domain Controller.
I'm not an expert in Exchange, but VPNs can do wonders for making "internal" applications accessible to the world in a reasonably secure way.
From a security standpoint, I would argue strongly against domain
controllers being available to public network traffic (and attack). Not to disregard the internal threat -- which is just as serious -- but the DC is literally the keys to your kingdom. A compromise of the DC would (theoretically) give the attacker the ability to recover ALL user passwords and computer passwords in that domain. In my experience, forcing all users to change their password and resetting all the computer accounts because of an Exchange server compromise wouldn't be practical or acceptable. (Exchange isn't special -- the same consideration would be given to any application.) Kerberos requires all possible effort be made to secure a single entity (the DC in Windows) so that less trust is required in other entities (user and computer accounts). Less trust means less risk, which means less effort is necessary to secure those non-DC entities. I guess one could say risk is concentrated at a single point instead of being distributed. And you probably don't want that single point of high risk being on the "external" network. --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Webserver on a DMZ still needed? Davie Elliott - Eluse (Sep 05)
- RE: Webserver on a DMZ still needed? Peter Marshall (Sep 05)
- RE: Webserver on a DMZ still needed? Robert D. Holtz - Lists (Sep 05)
- RE: Webserver on a DMZ still needed? Murda Mcloud (Sep 06)
- RE: Webserver on a DMZ still needed? Steve Armstrong (Sep 06)
- Re: Webserver on a DMZ still needed? Micheal Espinola Jr (Sep 07)
- Re: Webserver on a DMZ still needed? MandommGmail (Sep 05)
- Re: Webserver on a DMZ still needed? irado furioso com tudo (Sep 05)
- Re: Webserver on a DMZ still needed? MaddHatter (Sep 06)
- <Possible follow-ups>
- RE: Webserver on a DMZ still needed? Verma, Neeraj K (Sep 05)
- Re: Webserver on a DMZ still needed? lexnlondon (Sep 05)
- Re: RE: Webserver on a DMZ still needed? vikas . leekha (Sep 06)
- RE: Webserver on a DMZ still needed? Peter Marshall (Sep 05)