Firewall Wizards mailing list archives
Re: W2K Schema Master in the DMZ?
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Sun, 23 Jun 2002 13:44:32 +0200
david singleton wrote:
shouldn't we be putting the Schema Master in the DMZ?
Putting it in "the" DMZ sounds like a singularly bad idea if indeed you mean "the place where you stuff the web and mail server". However, if you mean "put it in a separate firewalled segment", yeah it sounds like a good idea. I've been pondering the gains of this myself, but the question is how much you'd be gaining. I've been meaning to research this for quite some time now, but haven't found the time. Since a successful attack against a controller further down in the tree can invalidate all authentication and authorization mechanisms in the whole tree, the "root server" (or whatever you want to call it) should be protected somehow... But HOW? If you need to pass the whole set of SMB/CIFS/AD/etc protocols to the "root server", just how much are you protecting it by putting it in a separate segment? Probably not _too_ much. But do you need to pass all that? Is it possible to allow only connections initiated by the "root server"? (Does that buy you anything?) Clearly, I need to read up a _lot_ on the mechanisms involved in MSAD. I'm basically just rambling, but I hope I've provided a few starting points for others to expand upon :) -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- W2K Schema Master in the DMZ? david singleton (Jun 22)
- Re: W2K Schema Master in the DMZ? Mikael Olsson (Jun 24)
- Re: W2K Schema Master in the DMZ? Mikael Olsson (Jun 24)
- <Possible follow-ups>
- Re: W2K Schema Master in the DMZ? Mikael Olsson (Jun 25)
- Re: W2K Schema Master in the DMZ? Mikael Olsson (Jun 24)