Firewall Wizards mailing list archives
RE: NTLM authentication from DMZ
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 19 Sep 2002 15:24:06 -0500
On Thu, 2002-09-19 at 02:13, Ben Nagy wrote:
The key threat is that someone will hack your IIS box and then sit on it gathering valid password pairs for the LAN domain, and then just access C$ on whatever box they like as soon as anyone in the Domain Admins group checks their mail. We could argue about countermeasures to that, but believe me when I say that once someone has control over the DMZ box then you're in some pretty major schtuck unless you have an extremely smart IDS or Tingling Spider Senses.
Doesn't have to be that way. The OutlookWebAccess box only needs to have access to the Exchange server and domain controllers. You could use a DC in a third DMZ segment and only allow the OWA box to validate accounts against it. That box in turn can talk to internal DC's. That way you limit access from the OWA box to internal DC's. Yeah, doesn't prevent password cracking, but it is still much harder to poke through to the LAN. RPC (and the two 'fixed' Exchange services) only need to be available to the Exchange server not the whole network. So the statement 'then just access C$ on whatever box they like' is only valid if you drop the ball in the firewall config. Neatly tightened, there is no c$ access. I agree with the rest, such as:
Note that I always recommend that Exchange boxen not talk SMTP to the outside world - setting up a secure mail relay in the DMZ is cheap, easy and can provide some good first-pass filtering / screening capabilities.
Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- NTLM authentication from DMZ miha (Sep 17)
- Re: NTLM authentication from DMZ Volker Tanger (Sep 17)
- Re: NTLM authentication from DMZ Jan van Rensburg (Sep 18)
- RE: NTLM authentication from DMZ Ben Nagy (Sep 19)
- RE: NTLM authentication from DMZ Frank Knobbe (Sep 19)
- RE: NTLM authentication from DMZ Ben Nagy (Sep 20)
- RE: NTLM authentication from DMZ Frank Knobbe (Sep 20)
- Re: NTLM authentication from DMZ Jan van Rensburg (Sep 18)
- Re: NTLM authentication from DMZ Volker Tanger (Sep 17)
- Re: NTLM authentication from DMZ Mikael Olsson (Sep 20)
- <Possible follow-ups>
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)
- RE: NTLM authentication from DMZ Dawes, Rogan (ZA - Johannesburg) (Sep 20)
- RE: NTLM authentication from DMZ Bill Royds (Sep 21)
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)
- RE: NTLM authentication from DMZ manatworkyes moderator (Sep 22)
- RE: NTLM authentication from DMZ Reckhard, Tobias (Sep 23)