P.S.... I forgot to mention something regarding this part of your post:
On 5/17/06 12:31 PM, "Devin Ganger" <deving@3sharp.com> spoketh to all:
All Exchange 2000/2003 servers require GC access. If you cut off an Exchange
server from a GC, you can suffer any number of errors, from subtle
impossible-to-diagnose glitches to message routing errors to flat-out
services not starting, depending on your configuration.
You are dead-on right about troubleshooting in a least-privilege
environment. It can really be a PITA unless you actually plan for how to
troubleshoot up front. But if you scope everything out first and have a
road-map into your least-privileged network, things are much easier (and
faster.) This is why I include the following segment in my ISA Ninjitsu
Blackhat Training:
ISA Xtreame: Least Privilege Intranet Firewall Segments
-Server-client segmentation
-Locking down internal traffic
-Deploying ³least privilege² rules
-Security in depth segmentation
-Living With Yourself After the Fact: troubleshooting connectivity issues
in least privileged environments
Note the last "Living with yourself" bit... Yes, it is true that when you
create true network separation in a least-privilege environment that you
have to change the way you troubleshoot connection issues. You just can't
ping whatever host you want- you can't just telnet to 25 to see if you
connect to the SMTP listener (unless you are coming from the SMTP gateway
and to, and ONLY to, the SMTP server(s). You can't resolve DNS from just
anywhere... But once you get the mindset down, you would be amazed at how
tight you can make things- even on the internal network.
So, it is not so easy sometimes, but it *is* tight.
t
---------------------------------------------------------------------------
---------------------------------------------------------------------------
