Firewall Wizards mailing list archives
RE: NTLM authentication from DMZ
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Fri, 20 Sep 2002 17:32:11 +0200
Below.
-----Original Message----- From: Noonan, Wesley [mailto:Wesley_Noonan () bmc com] Sent: 20 September 2002 05:06 To: 'Mikael Olsson'; Jan van Rensburg Cc: firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] NTLM authentication from DMZ Perhaps I am oversimplifying here, but I guess I don't see the "big huge deal" with OWA.
[..snip..]
conduit permit udp host 172.16.1.1 eq netbios-ns host 10.100.0.10 conduit permit udp host 172.16.1.1 eq netbios-dgm host 10.100.0.10 conduit permit tcp host 172.16.1.1 eq 139 host 10.100.0.10 conduit permit udp host 172.16.1.1 eq 139 host 10.100.0.10 conduit permit tcp host 172.16.1.1 eq 135 host 10.100.0.10 5 lines, and quite frankly I don't recall it needing 135 or the TCP 139 (or maybe it was the UDP 139, either way...) which were turned off (the config I have still shows them, but they were turned off in a later config). If
The unfortunate problem with OWA, and any other service that needs access to a DC for authentication, is that Microsoft has multiplexed too many functions into the SMB/NetBIOS protocol. For example, with the right credentials, you can open up a "telnet" session on the DC, and have access to a CMD.exe prompt on that DC. (See psexec at sysinternals for more info.) There does not seem to be any obvious (or even documented) way of disabling functions which can be used within a NBT session. The ideal would be to say, only auth functions allowed from the OWA server, regardless of userid, but this does not seem to be possible.
Again, maybe I am oversimplifying here, but I have never really seen the big deal on this particular issue (OWA). It is far better than any alternative I have seen (both in terms of function and security). If I am wrong, I am open to some edumication :-)
It would appear that one of the other webmail programs, with access to the mailboxes via IMAP, directories via LDAP, and outbound mail via SMTP would be a lot easier to secure, in particular, securing the internal network from compromise of the webmail server. This is primarily because a firewall can limit the functions that are permitted. And that is really what we are talking about, isn't it? We put the webmail server in a DMZ, because we want to be prepared for the webmail server being compromised. The trick is to limit what can happen when it is cracked. It's not so easy with OWA. When someone builds a stateful or proxy firewall that can disallow functions within NBT sessions, I will feel happier about permitting NBT through it. But not until then. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- NTLM authentication from DMZ miha (Sep 17)
- Re: NTLM authentication from DMZ Volker Tanger (Sep 17)
- Re: NTLM authentication from DMZ Jan van Rensburg (Sep 18)
- RE: NTLM authentication from DMZ Ben Nagy (Sep 19)
- RE: NTLM authentication from DMZ Frank Knobbe (Sep 19)
- RE: NTLM authentication from DMZ Ben Nagy (Sep 20)
- RE: NTLM authentication from DMZ Frank Knobbe (Sep 20)
- Re: NTLM authentication from DMZ Jan van Rensburg (Sep 18)
- Re: NTLM authentication from DMZ Volker Tanger (Sep 17)
- Re: NTLM authentication from DMZ Mikael Olsson (Sep 20)
- <Possible follow-ups>
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)
- RE: NTLM authentication from DMZ Dawes, Rogan (ZA - Johannesburg) (Sep 20)
- RE: NTLM authentication from DMZ Bill Royds (Sep 21)
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)
- RE: NTLM authentication from DMZ manatworkyes moderator (Sep 22)
- RE: NTLM authentication from DMZ Reckhard, Tobias (Sep 23)
- RE: NTLM authentication from DMZ Peter Robinson (Sep 23)
- RE: NTLM authentication from DMZ Steffen Kluge (Sep 25)
- RE: NTLM authentication from DMZ Paul D. Robertson (Sep 25)
- RE: NTLM authentication from DMZ Steffen Kluge (Sep 26)