P.S.... I forgot to mention something regarding this part of your post:
On 5/17/06 12:31 PM, "Devin Ganger" <[EMAIL PROTECTED]> spoketh to all: > All Exchange 2000/2003 servers require GC access. If you cut off an Exchange > server from a GC, you can suffer any number of errors, from subtle > impossible-to-diagnose glitches to message routing errors to flat-out > services not starting, depending on your configuration. You are dead-on right about troubleshooting in a least-privilege environment. It can really be a PITA unless you actually plan for how to troubleshoot up front. But if you scope everything out first and have a road-map into your least-privileged network, things are much easier (and faster.) This is why I include the following segment in my ISA Ninjitsu Blackhat Training: ISA Xtreame: Least Privilege Intranet Firewall Segments -Server-client segmentation -Locking down internal traffic -Deploying ³least privilege² rules -Security in depth segmentation -Living With Yourself After the Fact: troubleshooting connectivity issues in least privileged environments Note the last "Living with yourself" bit... Yes, it is true that when you create true network separation in a least-privilege environment that you have to change the way you troubleshoot connection issues. You just can't ping whatever host you want- you can't just telnet to 25 to see if you connect to the SMTP listener (unless you are coming from the SMTP gateway and to, and ONLY to, the SMTP server(s). You can't resolve DNS from just anywhere... But once you get the mindset down, you would be amazed at how tight you can make things- even on the internal network. So, it is not so easy sometimes, but it *is* tight. t --------------------------------------------------------------------------- ---------------------------------------------------------------------------
