Re: W2K Schema Master in the DMZ?

[Mikael Olsson <mikael.olsson () clavister com>]

david singleton wrote:
> shouldn't we be putting the Schema Master in the DMZ?

Putting it in "the" DMZ sounds like a singularly bad idea if indeed
you mean "the place where you stuff the web and mail server".

However, if you mean "put it in a separate firewalled segment", yeah
it sounds like a good idea.  I've been pondering the gains of this
myself, but the question is how much you'd be gaining.  I've been
meaning to research this for quite some time now, but haven't found
the time.


Since a successful attack against a controller further down in the
tree can invalidate all authentication and authorization mechanisms
in the whole tree, the "root server" (or whatever you want to call
it) should be protected somehow... But HOW?

If you need to pass the whole set of SMB/CIFS/AD/etc protocols to 
the "root server", just how much are you protecting it by putting it 
in a separate segment?  Probably not _too_ much.  But do you need to
pass all that?  Is it possible to allow only connections initiated
by the "root server"?  (Does that buy you anything?)


Clearly, I need to read up a _lot_ on the mechanisms involved in 
MSAD.  I'm basically just rambling, but I hope I've provided a few
starting points for others to expand upon :)


-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards