Firewall Wizards mailing list archives
Re: W2K Schema Master in the DMZ?
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Tue, 25 Jun 2002 00:35:04 +0200
david singleton wrote:
The question that intersts me is, does the firewall community think internal (non-Internet) users are hacking the internal W2K DCs?
Definately. In my experience, with any organization larger than twenty users, you can't be certain that there aren't one or two less-than-friendly people. When you pass fifty, you can almost be certain that there is. Add to that the recklessly clueless and the cluelessly reckless that you get in basically any size organization, and you get trojan threats, etc... (Of course, I generally get involved in fairly paranoid installs, so what I consider a great risk may not apply to you :))
If so how should we protect them?
Now _there_ is a good question. I just re-read the page that I referred to, and... well, I don't see how you can actually protect the schema masters beyond how you protect admin accounts and controllers in general. If one gets compromised, it'd seem that there's basically nothing you can do to prevent the breach from spreading throughout the entire organization... which proves me right when I demanded that our devel network be completely separated from the main network all those years ago :) Now, if you set up a forest that doesn't actually DO anything, and then set up a bunch of domains that only trust the forest, I suppose you could actually achieve something approaching useful separation (as far as non-admins are concerned), but the question is how much work it'd be, and if it's actually worth it. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- W2K Schema Master in the DMZ? david singleton (Jun 22)
- Re: W2K Schema Master in the DMZ? Mikael Olsson (Jun 24)
- Re: W2K Schema Master in the DMZ? Mikael Olsson (Jun 24)
- <Possible follow-ups>
- Re: W2K Schema Master in the DMZ? Mikael Olsson (Jun 25)
- Re: W2K Schema Master in the DMZ? Mikael Olsson (Jun 24)