Security Basics mailing list archives
Re: secure sharepoint 2010 design
From: Ansgar Wiechers <bugtraq () planetcobalt net>
Date: Wed, 11 Aug 2010 11:00:04 +0200
On 2010-08-10 Boyd, Chad wrote:
My DC's are segmented from my workstations. http://www.sans.org/reading_room/whitepapers/hsoffice/design-secure-network-segmentation-approach_1645 (PDF)
I didn't say it can't be done, I said it's pointless to do it. While most of the advice in that PDF is good in general, implementing the firewall traffic map from chapter 3 will break a Windows domain. See MSKB 832017 [1] for an overview of the required ports for various Windows services, particularly NetBIOS, DirectSMB, NetLogon and Group Policy. BTW, (client-side) DNS requires port 53/tcp in addition to port 53/udp. It's a common misunderstanding that port 53/tcp were used only for zone transfers. DNS also uses TCP connections when an answer to a name lookup is too large for a single UDP packet.
To be clear, proper network segmentation can be a pain to set up...and can be a bit expensive depending on the environment, but: - Once it is set up, the security makes me sleep a bit better at night. - If there's some crazy virus outbreak or compromise, it's a lot harder for an attacker to take down everything.
True in general, but not for (Windows) DCs. [...]
Why do you lock your car doors? When you trust the person you locked in the front seat to never unlock the car, why worry?
Going with this analogy: placing your DCs in a different network segment is like locking your car doors with all the windows open. [1] http://support.microsoft.com/kb/832017/ Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: secure sharepoint 2010 design Paul Johnston (Aug 03)
- Re: secure sharepoint 2010 design Francois Yang (Aug 03)
- Message not available
- Message not available
- Re: secure sharepoint 2010 design Paul Johnston (Aug 09)
- Message not available
- Re: secure sharepoint 2010 design Francois Yang (Aug 03)
- RE: secure sharepoint 2010 design Boyd, Chad (Aug 03)
- Message not available
- RE: secure sharepoint 2010 design Boyd, Chad (Aug 09)
- Message not available
- Re: secure sharepoint 2010 design Paul Johnston (Aug 10)
- RE: secure sharepoint 2010 design Boyd, Chad (Aug 10)
- Re: secure sharepoint 2010 design Ansgar Wiechers (Aug 11)