Firewall Wizards mailing list archives
RE: Firewall Rules for NT Server and PDC
From: "Scott, Richard" <Richard.Scott () BestBuy com>
Date: Tue, 10 Jul 2001 21:28:38 -0500
----> snip "Volker Tanger" <volker.tanger () detewe de> wrote:
The connection NT-webserver and PDC necessarily is symmetrical. You will probably need to open both tcp & udp 135, 137-139 and 1024+ in both directions with no questions asked.
What you need is to allow udp137, udp138 and tcp139 (often called the NBT ports). Open them exclusively between the web-server and the PDC. There's no need for the high ports. (Tested with NT4SP6a on both servers.)
But with doing that you will grant the web server and thus all hackers attacking it (seen the latest IIS exploits yet?) all access to your internal system(s).
Assuming the web server is on its own interface in the firewall like this INET---FW---WEB | | LAN and assuming you've made sure nothing but HTTP(S) can reach your web-server(s) from the Internet: Attackers need to gain control over the web-server by cracking the web-service through HTTP, then crack the PDC through NBT (typically password-cracking or -sniffing). That's when they're finally in and can do everything imaginable to your internal net. You obviously want to make sure both the PDC and the web-server are locked down tight and patched, and that the developers of your webserver make their scripts/appliations secure. <<<-snip I've seen quite a few implementations of this, but honestly, the architectures I see going forward remove the need for a Domain in a web farm. If this is too complicated and you must have a PDC, I would logically group your web server and PDC togethor and keep company accounts on a separate domain control and have no trust relationship. Are you actually granting access to services using NT's authentication for the reason you need a PDC? Cheers r. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewall Rules for NT Server and PDC Ernest Opoku-Agyemang (Jul 03)
- Re: Firewall Rules for NT Server and PDC Volker Tanger (Jul 05)
- <Possible follow-ups>
- Re: Firewall Rules for NT Server and PDC Bjørnar B . Larsen (Jul 07)
- RE: Firewall Rules for NT Server and PDC Dawes, Rogan (ZA - Johannesburg) (Jul 09)
- RE: Firewall Rules for NT Server and PDC Benjamin P. Grubin (Jul 11)
- RE: Firewall Rules for NT Server and PDC Scott, Richard (Jul 11)
- Re: Firewall Rules for NT Server and PDC Volker Tanger (Jul 12)
- RE: Firewall Rules for NT Server and PDC Dawes, Rogan (ZA - Johannesburg) (Jul 11)
- Re: Firewall Rules for NT Server and PDC Patrick Giagnocavo (Jul 12)
- RE: Firewall Rules for NT Server and PDC Benjamin P. Grubin (Jul 13)
- RE: Firewall Rules for NT Server and PDC Ben Nagy (Jul 12)
- RE: Firewall Rules for NT Server and PDC Benjamin P. Grubin (Jul 13)
- RE: Firewall Rules for NT Server and PDC Jeroen Veeren (Jul 13)