Re: Question about DMZ Domain Member and Virus Membership

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2006-03-19 Adam T wrote:
> I would like to know what is the best practice method to configure
> Windows Servers in the DMZ. Should they be a part of the domain and
> therefore open ports to allow authentication?

Most definitely not. Allowing connections from DMZ to LAN is a very bad
thing and should only be done if you know EXACTLY what you're doing.

> Or should they be kept as standalone servers?

Maybe it's possible to replicate the relevant portion of the authenti-
cation data from the DC to the DMZ servers. If not, it is better to
leave them as standalone servers.

> I also have my virus scanners on these machines but they are not in
> contact with the Primary Virus Server should I allow these ports
> through the firewall?

No. Push the definition files from your primary server to a server in
the DMZ and have the virus scanners update their definitions from this
server. If you need the logs: pull/query them from the LAN.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------