Home page logo

basics logo Security Basics mailing list archives

Re: Question about DMZ Domain Member and Virus Membership
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Mon, 20 Mar 2006 21:10:52 +0100

On 2006-03-19 Adam T wrote:
I would like to know what is the best practice method to configure
Windows Servers in the DMZ. Should they be a part of the domain and
therefore open ports to allow authentication?

Most definitely not. Allowing connections from DMZ to LAN is a very bad
thing and should only be done if you know EXACTLY what you're doing.

Or should they be kept as standalone servers?

Maybe it's possible to replicate the relevant portion of the authenti-
cation data from the DC to the DMZ servers. If not, it is better to
leave them as standalone servers.

I also have my virus scanners on these machines but they are not in
contact with the Primary Virus Server should I allow these ports
through the firewall?

No. Push the definition files from your primary server to a server in
the DMZ and have the virus scanners update their definitions from this
server. If you need the logs: pull/query them from the LAN.

Ansgar Wiechers
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]