RE: Firewall Rules for NT Server and PDC

["Scott, Richard" <Richard.Scott () BestBuy com>]

----> snip

"Volker Tanger" <volker.tanger () detewe de> wrote:
> The connection NT-webserver and PDC necessarily is symmetrical. 
> You will probably need to open both tcp & udp 135, 137-139 and
> 1024+ in both directions with no questions asked.

What you need is to allow udp137, udp138 and tcp139 (often called the NBT
ports). Open them exclusively between the web-server and the PDC. There's no
need for the high ports. (Tested with NT4SP6a on both servers.)

> But with doing 
> that you will grant the web server and thus all hackers attacking
> it (seen the latest IIS exploits yet?) all access to your 
> internal system(s).

Assuming the web server is on its own interface in the firewall like this

    INET---FW---WEB
            |
            |
           LAN

and assuming you've made sure nothing but HTTP(S) can reach your
web-server(s) from the Internet:

Attackers need to gain control over the web-server by cracking the
web-service through HTTP, then crack the PDC through NBT (typically
password-cracking or -sniffing). That's when they're finally in and can do
everything imaginable to your internal net.

You obviously want to make sure both the PDC and the web-server are locked
down tight and patched, and that the developers of your webserver make their
scripts/appliations secure.

<<<-snip


I've seen quite a few implementations of this, but honestly, the
architectures I see going forward remove the need for a Domain in a web
farm.  If this is too complicated and you must have a PDC, I would logically
group your web server and PDC togethor and keep company accounts on a
separate domain control and have no trust relationship.  Are you actually
granting access to services using NT's authentication for the reason you
need a PDC?

Cheers
r.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards