Re: W2K Schema Master in the DMZ?

[Mikael Olsson <mikael.olsson () clavister com>]

david singleton wrote:
> The question that intersts me is, does the firewall community think 
> internal (non-Internet) users are hacking the internal W2K DCs?  

Definately.  In my experience, with any organization larger than
twenty users, you can't be certain that there aren't one or two
less-than-friendly people.  When you pass fifty, you can almost
be certain that there is.  Add to that the recklessly clueless 
and the cluelessly reckless that you get in basically any size 
organization, and you get trojan threats, etc...

(Of course, I generally get involved in fairly paranoid installs,
so what I consider a great risk may not apply to you :))

> If so how should we protect them?

Now _there_ is a good question. I just re-read the page that I
referred to, and... well, I don't see how you can actually 
protect the schema masters beyond how you protect admin accounts
and controllers in general.  If one gets compromised, it'd seem
that there's basically nothing you can do to prevent the breach
from spreading throughout the entire organization... which 
proves me right when I demanded that our devel network be 
completely separated from the main network all those years ago :)


Now, if you set up a forest that doesn't actually DO anything,
and then set up a bunch of domains that only trust the forest,
I suppose you could actually achieve something approaching 
useful separation (as far as non-admins are concerned), but
the question is how much work it'd be, and if it's actually
worth it.

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards