Firewall Wizards mailing list archives

Re: safety of unidirectional NT trusts

From: "Jeff Boles" <bolesjb () yahoo com>
Date: Thu, 17 Jan 2002 06:49:18 -0700

I'd look at your primary concern being that any compromise of a trusted
machine, especially with MS Networking access to the rest of the network,
potentially completely compromises your entire domain.    i.e., now as a
trusted machine, attacks have the potential of focusing on a domain admin
account rather than just a local admin account.  This will pretty much be
the same regardless of whether you're using multiple domains with trusts, or
the same domain.

As a recommendation, I would review the requirements of this request, and
see if maybe the same functionality could be implemented through another IP
filesharing of some kind, i.e. FTP.  If you have no other choice, I'd
recommend looking into something like some of Watchguard's ServerLock type
products, or some other means of host protection which might limit
opportunities.  Granted, you'll get added admin overhead, but this might be
better than nothing.

JB

Message: 5
Subject: Re: [fw-wiz] safety of unidirectional NT trusts
From: Jonas Anden <dajudge () home se>
To: firewall-wizards () nfr net
Cc: hermit921 <hermit921 () yahoo com>
Date: 15 Jan 2002 16:17:35 +0100

I have been tasked with permitting M$ networking access between an NT
server on the DMZ an other Windows machines behind the firewall.  My plan
is to not let the DMZ machine initiate any connections to the internal
machines, but they can initiate connections to the DMZ machine.  The DMZ
machine should be set up to trust the internal machine, but the internal
machine should not trust the DMZ machine; I know I can't control this on
the firewall.  I don't know much about M$ networking, I don't get to make
decisions, I just implement firewall rules whether I like them or not.


Is that setup at all possible? To have the DMZ server trust the internal
DC, it needs to connect to the DC. I suggest you have do not have any
trust relationships set up between the DMZ and the internal network.

I'm not a M$ hacker either, but that just my $0.02.

  // J


--__--__--


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

RE: safety of unidirectional NT trusts Henry Sieff (Jan 16)
- <Possible follow-ups>
- RE: safety of unidirectional NT trusts Jeroen Veeren (Jan 17)
- Re: safety of unidirectional NT trusts Jeff Boles (Jan 17)
- Re: safety of unidirectional NT trusts Bill_Royds (Jan 18)