RE: NTLM authentication from DMZ

["Noonan, Wesley" <Wesley_Noonan () bmc com>]

Inline... good feedback BTW. Thanks.

Wes Noonan, MCSE/CCNA/CCDA/NNCSS
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
wnoonan () bmc com
http://www.bmc.com


> -----Original Message-----
> From: Dawes, Rogan (ZA - Johannesburg) [mailto:rdawes () deloitte co za]
> Sent: Friday, September 20, 2002 10:32
> To: 'Noonan, Wesley'; 'Mikael Olsson'; Jan van Rensburg
> Cc: firewall-wizards () honor icsalabs com
> Subject: RE: [fw-wiz] NTLM authentication from DMZ
>
> Below.
<snip> 
> The unfortunate problem with OWA, and any other service that needs access
> to
> a DC for authentication, is that Microsoft has multiplexed too many
> functions into the SMB/NetBIOS protocol.

No doubt... :-(
 
> For example, with the right credentials, you can open up a "telnet"
> session
> on the DC, and have access to a CMD.exe prompt on that DC. (See psexec at
> sysinternals for more info.) There does not seem to be any obvious (or
> even
> documented) way of disabling functions which can be used within a NBT
> session. The ideal would be to say, only auth functions allowed from the
> OWA
> server, regardless of userid, but this does not seem to be possible.

I must admit that I have not tried to run psexec from an OWA server to the
DC, but this is a valid point that I hadn't considered too much.

> > Again, maybe I am oversimplifying here, but I have never
> > really seen the big
> > deal on this particular issue (OWA). It is far better than
> > any alternative I
> > have seen (both in terms of function and security). If I am
> > wrong, I am open
> > to some edumication :-)
> It would appear that one of the other webmail programs, with access to the
> mailboxes via IMAP, directories via LDAP, and outbound mail via SMTP would
> be a lot easier to secure, in particular, securing the internal network
> from
> compromise of the webmail server. This is primarily because a firewall can
> limit the functions that are permitted.
>
> And that is really what we are talking about, isn't it? We put the webmail
> server in a DMZ, because we want to be prepared for the webmail server
> being
> compromised. The trick is to limit what can happen when it is cracked.
> It's
> not so easy with OWA.

Sure. Personally, that is what I would rather do, but often times the
religion doesn't allow it :-(

> When someone builds a stateful or proxy firewall that can disallow
> functions
> within NBT sessions, I will feel happier about permitting NBT through it.
> But not until then.

Sure. I would even like to see MS provide the means to stipulate the type of
authentication and access that can be permitted... but something tells me
that "secure computing" (or whatever their initiative is) doesn't really pay
much attention to these kinds of things... :-(
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards