Firewall Wizards mailing list archives
RE: safety of unidirectional NT trusts
From: Henry Sieff <hsieff () orthodon com>
Date: Wed, 16 Jan 2002 14:31:13 -0600
-----Original Message----- From: Jonas Anden [mailto:dajudge () home se] Sent: Tuesday, January 15, 2002 9:18 AM To: firewall-wizards () nfr net Cc: hermit921 Subject: Re: [fw-wiz] safety of unidirectional NT trustsI have been tasked with permitting M$ networking accessbetween an NTserver on the DMZ an other Windows machines behind thefirewall. My planis to not let the DMZ machine initiate any connections tothe internalmachines, but they can initiate connections to the DMZmachine. The DMZmachine should be set up to trust the internal machine, butthe internalmachine should not trust the DMZ machine; I know I can'tcontrol this onthe firewall. I don't know much about M$ networking, Idon't get to makedecisions, I just implement firewall rules whether I likethem or not. Is that setup at all possible? To have the DMZ server trust the internal DC, it needs to connect to the DC. I suggest you have do not have
any
trust relationships set up between the DMZ and the internal network. I'm not a M$ hacker either, but that just my $0.02.
You are correct. One-way trust still requires the same ports as two-way trusts. You can use PPTP to establish a trust relationship, but you are still sort-of bypassing some of the DMZ's benefit no matter what you do. Henry _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: safety of unidirectional NT trusts Henry Sieff (Jan 16)
- <Possible follow-ups>
- RE: safety of unidirectional NT trusts Jeroen Veeren (Jan 17)
- Re: safety of unidirectional NT trusts Jeff Boles (Jan 17)
- Re: safety of unidirectional NT trusts Bill_Royds (Jan 18)