RE: safety of unidirectional NT trusts

[Henry Sieff <hsieff () orthodon com>]

> -----Original Message-----
> From: Jonas Anden [mailto:dajudge () home se]
> Sent: Tuesday, January 15, 2002 9:18 AM
> To: firewall-wizards () nfr net
> Cc: hermit921
> Subject: Re: [fw-wiz] safety of unidirectional NT trusts
>
>
> > I have been tasked with permitting M$ networking access 
> between an NT 
> > server on the DMZ an other Windows machines behind the 
> firewall.  My plan 
> > is to not let the DMZ machine initiate any connections to 
> the internal 
> > machines, but they can initiate connections to the DMZ 
> machine.  The DMZ 
> > machine should be set up to trust the internal machine, but 
> the internal 
> > machine should not trust the DMZ machine; I know I can't 
> control this on 
> > the firewall.  I don't know much about M$ networking, I 
> don't get to make 
> > decisions, I just implement firewall rules whether I like 
> them or not.
>
> Is that setup at all possible? To have the DMZ server trust 
> the internal
> DC, it needs to connect to the DC. I suggest you have do not have
any
> trust relationships set up between the DMZ and the internal network.
>
> I'm not a M$ hacker either, but that just my $0.02.

You are correct. One-way trust still requires the same ports as
two-way trusts. You can use PPTP to establish a trust relationship,
but you are still sort-of bypassing some of the DMZ's benefit no
matter what you do.

Henry
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards