Firewall Wizards mailing list archives

RE: Firewall Rules for NT Server and PDC

From: "Benjamin P. Grubin" <bgrubin () pobox com>
Date: Thu, 12 Jul 2001 09:25:09 -0400

I would never try and convince anyone that NBT or windows
networking is safe
to pass through a firewall, but this example is bogus.
psexec does nothing
sexy, it is equivalent to rexec on the un*x platform, which
has existed for
eons.  In order to make use of a tool like this, a trust
relationship would
have to be exploited.


It's a long time since I got my MCSE (ssh, don't tell!), but
AFAIK trusts
are only between domains. Servers in the same domain always
trust each other
by default, and you can only lock things down further with
user permissions.
I'm assuming that you know this, but one could easily get the wrong
impression from the way you phrase things.


Sorry, I'll try to be more clear in the future.  The separation of domains
was precisely what I meant.

Compromising a domain member server SHOULD NOT compromise
your domain.  [...]


I don't understand why not. At best you need to find / guess / sniff a
username and password. You've obviously got some ideas here
that you didn't
elaborate on - could you be more explicit?


Sniffing and guessing are always a problem, but the mere compromise of a
member server does not implicitly compromise anything else on the network,
unless trust relationships (which shouldn't be there in this context) exist.
Protecting against sniffing and guessing are architecture and configuration
problems, respectively---but they certainly are solvable in a small, easily
controlled environment.  The accounts that exist on a member server in a DMZ
should have no access to either the PDC or anything else.  Only the reverse
should be true (PDC having access to the member server).  So a compromise of
a member server domain or local account is irrelevant to compromising the
PDC.  This of course assumes basic simian intelligence like not having
domain administrator credentials cached on said domain member (!).

Cheers,
Ben

----
Benjamin P. Grubin                      bgrubin () pobox com
PGP Fingerprint: EDE9 A88F 3BCC 514A  F310 FEFB 7109 2380

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Firewall Rules for NT Server and PDC, (continued)
- Re: Firewall Rules for NT Server and PDC Volker Tanger (Jul 05)
- Re: Firewall Rules for NT Server and PDC Bjørnar B . Larsen (Jul 07)
- RE: Firewall Rules for NT Server and PDC Dawes, Rogan (ZA - Johannesburg) (Jul 09)
  - RE: Firewall Rules for NT Server and PDC Benjamin P. Grubin (Jul 11)
- RE: Firewall Rules for NT Server and PDC Scott, Richard (Jul 11)
  - Re: Firewall Rules for NT Server and PDC Volker Tanger (Jul 12)
- RE: Firewall Rules for NT Server and PDC Dawes, Rogan (ZA - Johannesburg) (Jul 11)
  - Re: Firewall Rules for NT Server and PDC Patrick Giagnocavo (Jul 12)
  - RE: Firewall Rules for NT Server and PDC Benjamin P. Grubin (Jul 13)
- RE: Firewall Rules for NT Server and PDC Ben Nagy (Jul 12)
  - RE: Firewall Rules for NT Server and PDC Benjamin P. Grubin (Jul 13)
- RE: Firewall Rules for NT Server and PDC Jeroen Veeren (Jul 13)