RE: NTLM authentication from DMZ

["Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>]

Below.

> -----Original Message-----
> From: Noonan, Wesley [mailto:Wesley_Noonan () bmc com]
> Sent: 20 September 2002 05:06
> To: 'Mikael Olsson'; Jan van Rensburg
> Cc: firewall-wizards () honor icsalabs com
> Subject: RE: [fw-wiz] NTLM authentication from DMZ
>
>
> Perhaps I am oversimplifying here, but I guess I don't see 
> the "big huge
> deal" with OWA.
[..snip..]
> conduit permit udp host 172.16.1.1 eq netbios-ns host 10.100.0.10 
> conduit permit udp host 172.16.1.1 eq netbios-dgm host 10.100.0.10 
> conduit permit tcp host 172.16.1.1 eq 139 host 10.100.0.10 
> conduit permit udp host 172.16.1.1 eq 139 host 10.100.0.10 
> conduit permit tcp host 172.16.1.1 eq 135 host 10.100.0.10
>
> 5 lines, and quite frankly I don't recall it needing 135 or 
> the TCP 139 (or
> maybe it was the UDP 139, either way...) which were turned 
> off (the config I
> have still shows them, but they were turned off in a later config). If

The unfortunate problem with OWA, and any other service that needs access to
a DC for authentication, is that Microsoft has multiplexed too many
functions into the SMB/NetBIOS protocol.

For example, with the right credentials, you can open up a "telnet" session
on the DC, and have access to a CMD.exe prompt on that DC. (See psexec at
sysinternals for more info.) There does not seem to be any obvious (or even
documented) way of disabling functions which can be used within a NBT
session. The ideal would be to say, only auth functions allowed from the OWA
server, regardless of userid, but this does not seem to be possible.
> Again, maybe I am oversimplifying here, but I have never 
> really seen the big
> deal on this particular issue (OWA). It is far better than 
> any alternative I
> have seen (both in terms of function and security). If I am 
> wrong, I am open
> to some edumication :-)
It would appear that one of the other webmail programs, with access to the
mailboxes via IMAP, directories via LDAP, and outbound mail via SMTP would
be a lot easier to secure, in particular, securing the internal network from
compromise of the webmail server. This is primarily because a firewall can
limit the functions that are permitted.

And that is really what we are talking about, isn't it? We put the webmail
server in a DMZ, because we want to be prepared for the webmail server being
compromised. The trick is to limit what can happen when it is cracked. It's
not so easy with OWA.

When someone builds a stateful or proxy firewall that can disallow functions
within NBT sessions, I will feel happier about permitting NBT through it.
But not until then.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards