Firewall Wizards mailing list archives
RE: Firewall Rules for NT Server and PDC
From: "Benjamin P. Grubin" <bgrubin () pobox com>
Date: Thu, 12 Jul 2001 09:25:09 -0400
I would never try and convince anyone that NBT or windows networking is safe to pass through a firewall, but this example is bogus. psexec does nothing sexy, it is equivalent to rexec on the un*x platform, which has existed for eons. In order to make use of a tool like this, a trust relationship would have to be exploited.It's a long time since I got my MCSE (ssh, don't tell!), but AFAIK trusts are only between domains. Servers in the same domain always trust each other by default, and you can only lock things down further with user permissions. I'm assuming that you know this, but one could easily get the wrong impression from the way you phrase things.
Sorry, I'll try to be more clear in the future. The separation of domains was precisely what I meant.
Compromising a domain member server SHOULD NOT compromise your domain. [...]I don't understand why not. At best you need to find / guess / sniff a username and password. You've obviously got some ideas here that you didn't elaborate on - could you be more explicit?
Sniffing and guessing are always a problem, but the mere compromise of a member server does not implicitly compromise anything else on the network, unless trust relationships (which shouldn't be there in this context) exist. Protecting against sniffing and guessing are architecture and configuration problems, respectively---but they certainly are solvable in a small, easily controlled environment. The accounts that exist on a member server in a DMZ should have no access to either the PDC or anything else. Only the reverse should be true (PDC having access to the member server). So a compromise of a member server domain or local account is irrelevant to compromising the PDC. This of course assumes basic simian intelligence like not having domain administrator credentials cached on said domain member (!). Cheers, Ben ---- Benjamin P. Grubin bgrubin () pobox com PGP Fingerprint: EDE9 A88F 3BCC 514A F310 FEFB 7109 2380 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewall Rules for NT Server and PDC, (continued)
- Re: Firewall Rules for NT Server and PDC Volker Tanger (Jul 05)
- Re: Firewall Rules for NT Server and PDC Bjørnar B . Larsen (Jul 07)
- RE: Firewall Rules for NT Server and PDC Dawes, Rogan (ZA - Johannesburg) (Jul 09)
- RE: Firewall Rules for NT Server and PDC Benjamin P. Grubin (Jul 11)
- RE: Firewall Rules for NT Server and PDC Scott, Richard (Jul 11)
- Re: Firewall Rules for NT Server and PDC Volker Tanger (Jul 12)
- RE: Firewall Rules for NT Server and PDC Dawes, Rogan (ZA - Johannesburg) (Jul 11)
- Re: Firewall Rules for NT Server and PDC Patrick Giagnocavo (Jul 12)
- RE: Firewall Rules for NT Server and PDC Benjamin P. Grubin (Jul 13)
- RE: Firewall Rules for NT Server and PDC Ben Nagy (Jul 12)
- RE: Firewall Rules for NT Server and PDC Benjamin P. Grubin (Jul 13)
- RE: Firewall Rules for NT Server and PDC Jeroen Veeren (Jul 13)