Firewall Wizards mailing list archives
RE: Firewall Rules for NT Server and PDC
From: Ben Nagy <ben.nagy () marconi com au>
Date: Thu, 12 Jul 2001 10:25:36 +1000
-----Original Message----- From: Benjamin P. Grubin [mailto:bgrubin () pobox com] Sent: Wednesday, July 11, 2001 11:20 AM To: 'Dawes, Rogan (ZA - Johannesburg)' Cc: firewall-wizards () nfr com Subject: RE: [fw-wiz] Firewall Rules for NT Server and PDC I would never try and convince anyone that NBT or windows networking is safe to pass through a firewall, but this example is bogus. psexec does nothing sexy, it is equivalent to rexec on the un*x platform, which has existed for eons. In order to make use of a tool like this, a trust relationship would have to be exploited.
It's a long time since I got my MCSE (ssh, don't tell!), but AFAIK trusts are only between domains. Servers in the same domain always trust each other by default, and you can only lock things down further with user permissions. I'm assuming that you know this, but one could easily get the wrong impression from the way you phrase things.
Allowing this trust relationship to exist between something like an IIS web server in a DMZ to a PDC, member server, or workstation on a LAN is the *real* security issue, not the existence of tools like psexec OR allowing NBT through a firewall.
Well, as you metioned (which is snipped) good practice dictates that your DMZ servers should never be in the same domain as any of your internal servers. I normally rip all the NetBIOS stuff out of DMZ servers completely, but that will break some things. If your DMZ servers are in a different domain, and you need NetBIOS, then trusts _are_ the best way to arrange it.
Compromising a domain member server SHOULD NOT compromise your domain. [...]
I don't understand why not. At best you need to find / guess / sniff a username and password. You've obviously got some ideas here that you didn't elaborate on - could you be more explicit?
Remember, firewalls are not the complete solution.[...]
That's assuming they're a solution at all. ;)
Cheers, Ben ---- Benjamin P. Grubin bgrubin () pobox com PGP Fingerprint: EDE9 A88F 3BCC 514A F310 FEFB 7109 2380
Cheers, -- Ben Nagy Network Security Specialist Marconi Services Australia Pty Ltd Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewall Rules for NT Server and PDC Ernest Opoku-Agyemang (Jul 03)
- Re: Firewall Rules for NT Server and PDC Volker Tanger (Jul 05)
- <Possible follow-ups>
- Re: Firewall Rules for NT Server and PDC Bjørnar B . Larsen (Jul 07)
- RE: Firewall Rules for NT Server and PDC Dawes, Rogan (ZA - Johannesburg) (Jul 09)
- RE: Firewall Rules for NT Server and PDC Benjamin P. Grubin (Jul 11)
- RE: Firewall Rules for NT Server and PDC Scott, Richard (Jul 11)
- Re: Firewall Rules for NT Server and PDC Volker Tanger (Jul 12)
- RE: Firewall Rules for NT Server and PDC Dawes, Rogan (ZA - Johannesburg) (Jul 11)
- Re: Firewall Rules for NT Server and PDC Patrick Giagnocavo (Jul 12)
- RE: Firewall Rules for NT Server and PDC Benjamin P. Grubin (Jul 13)
- RE: Firewall Rules for NT Server and PDC Ben Nagy (Jul 12)
- RE: Firewall Rules for NT Server and PDC Benjamin P. Grubin (Jul 13)
- RE: Firewall Rules for NT Server and PDC Jeroen Veeren (Jul 13)