These servers should be implemented as "standalone" workgroup machines, you
can use local security policy to perform largely all the of the same things
you can do with AD, and lessen the "attack surface" by not using AD at all.
For a handfull of boxes it's overkill and underwarranted.
Further, opening outbound access to the windows update servers (only) or use
Software Update Service (SUS) if you are eally paranoid , and controlling
name resolution (use your own dns servers and secure your hosts file) will
ensure that you can get your updates and not worry about outbound access to
unauthorised destinations.
Manage the machines via encrypted RDP sessions or use a VPN. Enforce SSL
Encryption on your SQL Server http://support.microsoft.com/?kbid=841695
----- Original Message -----
From: "Eric Luke" <eric@g2esolutions.com>
To: <focus-ms@securityfocus.com>
Sent: Friday, May 06, 2005 4:31 PM
Subject: Visa PCI Firewall Requirements and Windows Networks
Windows Security Experts and registered CISSP's:
I am helping a company prepare for an upcoming on-site Visa PCI audit (now
required for high volume companies storing credit card information) and I
am wrestling with the firewall requirements and how they should be
implemented in a Windows network.
The requirements state that the card holder data must be protected from
public networks (Internet) by a 2-tiered firewall architecture, this I can
understand...the "edge" firewall protects the DMZ servers by limiting
inbound traffic to selected ports (like 80 and 443) and the second
firewall between the DMZ and a protected "Trusted Zone" where the
cardholder data is stored. You now have 2 layers of "security" between
the data and the Internet.
So, I have set up that architecture and am now working on the rules for
the firewalls. Lets say that the database servers are the only things
behind the second firewall. In a perfect simple networking world I would
now limit incoming and outgoing traffic through that second firewall to
just the database ports (i.e. - 1433, 1434) and applications that need
access to the data only need those ports open. Sounds simple...
In a Windows network, Active Directory is a nice thing to have around for
managing servers. Lets say I have an Active Directory Server in the DMZ
(or another separate office network segment). If I want my Active
Directory Server to interact with the Database servers now I need to open
up port 445 (at least) both directions through the second firewall to have
that functionality. Reading in "Hacking Exposed" it sounds to me like
having port 445 opened up into the trusted zone is not the most secure
thing to do if a hacker has made it through the first firewall and is now
in the DMZ "poking around".
How do I solve this dilemma? I would like those servers to be part of
Active Directory and get the domain security policies, etc. Is there some
other secure configuration that I am not seeing? If my active directory
server is not in the DMZ but in a separate office segment I have the same
problem for the web servers. Seems like port 445 is required in a windows
network for ease of management...is that going to be interpreted by Visa
as a "required business protocol"??
Should I be worried about port 445 being open through that second
firewall? Would I have to have a separate domain controller in my DMZ and
the trusted zone?? That seems excessive. Please Help!!!
OK, now my next dilemma is that when I read the PCI requirements it sounds
like they want me to limit all outgoing traffic from behind the both
firewalls down to a bare minimum. If I do that how do I get the Windows
OS on the DMZ and database servers to do autoupdates for security patches,
etc? (Up-to-date patches is also a PCI requirement.) Is there a PCI
expert out there that really understands what outbound traffic they are
really asking to be limited here?
From reading Hacking Exposed I understand that if a hacker gets some
trojan placed in the DMZ and the firewall allows all outgoing traffic he
can do nasty things just having inbound 80 and all outbound ports
open...so I understand the desire to limit outbound ports but how do you
do updates...or browse the web for that matter...from inside your network?
I am guessing I am missing a major conceptual idea here...anybody help
clear me up???
Thanks tons in advance!
-Eric (alias confused)
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
