(sent to the firewalls list: ancient topic, but I guess there's people on the list that still benefit from this info...) Someone wrote (off-list): > > Mikael, I benefited from your post re: OWA security, thanks. Can I > ask you to explain a particular point of yours (that I pasted below). > [huge snip] > > 10)Owa and exchange in internal net, separated NT domains, one-way > > trust to exchange domain [Brian Steele] Well, I must admit that I've never _done_ it myself, but it seems reasonable. (That is, I wouldn't place those two machines in the internal network, but the trust part makes sense). What you do, basically, is have the Exchange server be a member of the "MYFAKEDOMAIN" domain. Configure MYFAKEDOMAIN to trust the "MYCOMPANY" domain, where everything else lives. Don't configure the DCs of the MYCOMPANY domain to trust MYFAKEDOMAIN. This way, logon attempts on the exchange server _should_ work, since it'll be able to lookup the credentials in MYCOMPANY. The OWA server should probably be a plain member server in MYFAKEDOMAIN. I wouldn't have it be a (backup) domain controller, since the OWA server is most likely the weakest point in the setup -- if the OWA server is a PDC or BDC, exploits that result in localsystem access on the OWA server easily lead to full compromise of MYFAKEDOMAIN (if nothing else, BDCs have a complete copy of the SAM, which makes it a lot easier to run l0pthcrack.) So, who gets to be PDC for MYFAKEDOMAIN? Well, if you have a separate machine for this job, it would probably be the best, but if you really don't want to add a third machine to the mix, you could have the Exchange server do the PDC job. As I said earlier, the OWA server shouldn't have anything to do with domain controlling. ... Was this what you were looking for, or did I misintepret your question? /Mikael Olsson -- Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 �RNSK�LDSVIK Phone: +46 (0)660 29 92 00 Direct: +46 (0)660 29 92 05 Mobile: +46 (0)70 66 77 636 Fax: +46 (0)660 122 50 WWW: http://www.enternet.se/ E-mail: [EMAIL PROTECTED] On bosses and technology: "There are bosses who don't know, and there are bosses who don't know that they don't know" /Anonymous techie - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
