Hello Oren -
First - I would like to state that I feel sorry for you and your
situation.... not an easy one to over come. Management that is....
Well, I would start out by asking if you can set up a site-to-site VPN?
That would be the most secure way of implementing your solution. If you
opened all the ports needed to have a forest root talk to a sub domain, you
might as well not have a firewall.
Here is a small list of the ports that I am talking about -
42 wins TCP/UDP
53 domain TCP/UDP
88 kerberos
123 ntp UDP
135 loc-srv TCP/UDP
137 nbname TCP/UDP
138 nbdgram UDP
139 nbsess TCP
Now - take the last few ports...those would be the main ones that would
open up your network to just about every virus that targets Microsoft
systems.... anyone else on this list would agree that 135/137 are the worst
ports to open to the outside world.
Again, I would suggest getting a site-to-site tunnel working - any other
way would be disasterous for your organization. Just do a quick google for
ports used by Trojans....that should stop all discussions. Unless they
(management) thinks that AV will stop those ....
Good luck!
Rich
|---------+---------------------------->
| | Oren Held |
| | <oren@held.org.il|
| | > |
| | |
| | 12/15/2004 06:24 |
| | PM |
| | |
|---------+---------------------------->
---------------------------------------------------------------------------------------------------------------------------------------------|
|
|
| To: focus-ms@securityfocus.com
|
| cc:
|
| Subject: Subdomain security
|
---------------------------------------------------------------------------------------------------------------------------------------------|
Hello,
I have to install a *secure* windows domain inside an insecure network.
This means that my domain will be behind a firewall ofcourse.
Now, I've got two possibilities for the domain configuration:
Option 1: My domain would actually be a subdomain inside the insecure
forest.
Option 2: Create a totally new forest.
So, surely option #2 is more secure, but the management pushes to
choosing option #1. so.. few questions about option #1:
a. Which ports should be opened by the firewall in order for the
subdomain to function well but be the most secure? Any references?
b. Does an admin (a member of the Enterprise Admin group) from the
root-domain have access to my subdomain? Can I prevent it at all?
c. Do you know any networks that implement option #1 with a firewall and
think they're quite secure from the other domains, or is it a totally
twisted idea?
Thanks a lot people,
- Oren
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
