Home page logo
/

basics logo Security Basics mailing list archives

Re: secure sharepoint 2010 design
From: Ansgar Wiechers <bugtraq () planetcobalt net>
Date: Wed, 11 Aug 2010 11:00:04 +0200

On 2010-08-10 Boyd, Chad wrote:
My DC's are segmented from my workstations.
http://www.sans.org/reading_room/whitepapers/hsoffice/design-secure-network-segmentation-approach_1645 (PDF)

I didn't say it can't be done, I said it's pointless to do it.

While most of the advice in that PDF is good in general, implementing
the firewall traffic map from chapter 3 will break a Windows domain. See
MSKB 832017 [1] for an overview of the required ports for various
Windows services, particularly NetBIOS, DirectSMB, NetLogon and Group
Policy.

BTW, (client-side) DNS requires port 53/tcp in addition to port 53/udp.
It's a common misunderstanding that port 53/tcp were used only for zone
transfers. DNS also uses TCP connections when an answer to a name lookup
is too large for a single UDP packet.

To be clear, proper network segmentation can be a pain to set up...and
can be a bit expensive depending on the environment, but:
- Once it is set up, the security makes me sleep a bit better at night.
- If there's some crazy virus outbreak or compromise, it's a lot
  harder for an attacker to take down everything.

True in general, but not for (Windows) DCs.

[...]
Why do you lock your car doors?
When you trust the person you locked in the front seat to never unlock
the car, why worry?

Going with this analogy: placing your DCs in a different network segment
is like locking your car doors with all the windows open.

[1] http://support.microsoft.com/kb/832017/

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]