Firewall Wizards mailing list archives
Re: safety of unidirectional NT trusts
From: Bill_Royds () pch gc ca
Date: Thu, 17 Jan 2002 16:57:06 -0500
Symantec's Enterprise Firewall (formerly Raptor) has an application proxy for smb/cifs file sharing that can filter out directionality and command features (allow reads but not writes etc.). This might help in your case. It does not allow a trust relationship, just simple share level stuff. Bill Royds Acting System Administrator, Canadian Heritage Information Network (819) 994-1200 X 239 |-------------------------+-------------------------+-------------------------| | | "Jeff Boles" | | | | <bolesjb () yahoo com> | To: | | | | firewall-wizards@nfr.n| | | 01/17/02 08:49 AM | et | | | Please respond to | cc: | | | bolesjb | hermit921 () yahoo com, | | | | (bcc: Bill | | | | Royds/HullOttawa/PCH/C| | | | A) | | | | Subject: | | | | Re: [fw-wiz] safety of| | | | unidirectional NT | | | | trusts | |-------------------------+-------------------------+-------------------------| I'd look at your primary concern being that any compromise of a trusted machine, especially with MS Networking access to the rest of the network, potentially completely compromises your entire domain. i.e., now as a trusted machine, attacks have the potential of focusing on a domain admin account rather than just a local admin account. This will pretty much be the same regardless of whether you're using multiple domains with trusts, or the same domain. As a recommendation, I would review the requirements of this request, and see if maybe the same functionality could be implemented through another IP filesharing of some kind, i.e. FTP. If you have no other choice, I'd recommend looking into something like some of Watchguard's ServerLock type products, or some other means of host protection which might limit opportunities. Granted, you'll get added admin overhead, but this might be better than nothing. JB Message: 5 Subject: Re: [fw-wiz] safety of unidirectional NT trusts From: Jonas Anden <dajudge () home se> To: firewall-wizards () nfr net Cc: hermit921 <hermit921 () yahoo com> Date: 15 Jan 2002 16:17:35 +0100
I have been tasked with permitting M$ networking access between an NT server on the DMZ an other Windows machines behind the firewall. My plan is to not let the DMZ machine initiate any connections to the internal machines, but they can initiate connections to the DMZ machine. The DMZ machine should be set up to trust the internal machine, but the internal machine should not trust the DMZ machine; I know I can't control this on the firewall. I don't know much about M$ networking, I don't get to make decisions, I just implement firewall rules whether I like them or not.
Is that setup at all possible? To have the DMZ server trust the internal DC, it needs to connect to the DC. I suggest you have do not have any trust relationships set up between the DMZ and the internal network. I'm not a M$ hacker either, but that just my $0.02. // J --__--__-- _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: safety of unidirectional NT trusts Henry Sieff (Jan 16)
- <Possible follow-ups>
- RE: safety of unidirectional NT trusts Jeroen Veeren (Jan 17)
- Re: safety of unidirectional NT trusts Jeff Boles (Jan 17)
- Re: safety of unidirectional NT trusts Bill_Royds (Jan 18)