Honestly, to your network-guy: Security by obscurity is not a security framework I would be subscribing to.
If no servers in the DMZ was allowed to talk through a perimeter firewall ( separate the DMZ from Internal NET), then they aren't going to be able to touch the internal LAN. Depending on how the network is setup, and if there are any internal firewalls, or access-lists on the routers, the LAN to LAN "island-hopping" as we call it may or may not be available. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: David Lum [mailto:david....@nwea.org] Sent: Wednesday, December 01, 2010 5:49 PM To: NT System Admin Issues Subject: RE: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN >From my network guy: "If someone were to gain access to a machine in the DMZ they will only have direct network access to other machines in the DMZ. However, if someone were to gain access to a machine on the LAN, they would have direct access to any other machine on the LAN. Limiting the ports and servers a machine in the DMZ can connect to further limits the access someone would have should they gain access." I understand what he's saying, but what the practical difference is I don't know. Might be worthy to note this guy also believes in "security by obscurity", one area we don't see eye to eye... David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Wednesday, December 01, 2010 2:35 PM To: NT System Admin Issues Subject: RE: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN I agree with James. I can't see any realistic reason why you shouldn't do that. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: David Lum [mailto:david....@nwea.org] Sent: Wednesday, December 01, 2010 5:30 PM To: NT System Admin Issues Subject: RE: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN >From your suggestion I have actually asked my network guy about exactly this. There's likely some reason not to do this, but I don't fear looking like an idiot so I asked. Anyone here want to educate me on why we shouldn't do this? Probably get replies faster here than my network guy who is slammed... David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: James Hill [mailto:james.h...@superamart.com.au] Sent: Wednesday, December 01, 2010 2:06 PM To: NT System Admin Issues Subject: RE: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN Just stick the thing on the inside, open up 443 to it and the rest of this pain will go away. From: David Lum [mailto:david....@nwea.org] Sent: Thursday, 2 December 2010 8:06 AM To: NT System Admin Issues Subject: RE: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN I'm talking about the RDS server finding (not being) a DNS server - the RDS (formerly Terminal Server) gateway has to resolve machine names and find a DC somehow doesn't it? I guess an alternate would be to maintain a HOSTS file right? Dave From: -sc likes it when we configure our display name [mailto:don....@gmail.com] Sent: Wednesday, December 01, 2010 2:01 PM To: NT System Admin Issues Subject: Re: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN Ok, so let me ask you this, what specifically is TCP 53 used for? I'm probably missing the boat here since I'm not sure if we are talking about running DNS on a terminal server... Sent from my Verizon Wireless BlackBerry ________________________________ From: David Lum <david....@nwea.org> Date: Wed, 1 Dec 2010 13:54:02 -0800 To: NT System Admin Issues<ntsysadmin@lyris.sunbelt-software.com> ReplyTo: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com> Subject: RE: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN Because DNS uses port 53? From: -sc likes it when we configure our display name [mailto:don....@gmail.com] Sent: Wednesday, December 01, 2010 1:49 PM To: NT System Admin Issues Subject: Re: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN Why TCP 53 for my edification? Sent from my Verizon Wireless BlackBerry ________________________________ From: David Lum <david....@nwea.org> Date: Wed, 1 Dec 2010 13:47:07 -0800 To: NT System Admin Issues<ntsysadmin@lyris.sunbelt-software.com> ReplyTo: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com> Subject: RE: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN Conveniently, 443 is the only open port in the firewall between the server and the Internet. It's the ports between it and the DC's I need to open, and from what I've read last couple of days is I need for a machine to be able to authenticate with a DC: TCP/UDP port 88 (Kerberos) TCP port 135 (RPC) TCP/UDP port 389 (LDAP) TCP ports > 1024 (RPC) * * This is where you use KB154596 to limit this range If you need DNS from the same box then add TCP/UDP 53 David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Wednesday, December 01, 2010 1:31 PM To: NT System Admin Issues Subject: RE: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN Oh BTW - the recommendation, if TMG/ISA/UAG aren't possible (or other layer-7 firewall), is simply to open 443 inside. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: David Lum [mailto:david....@nwea.org] Sent: Wednesday, December 01, 2010 4:29 PM To: NT System Admin Issues Subject: RE: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN Yep that much I knew, but thanks for clarifying here. A registry entry will allow you to use a narrow range for high ports: http://support.microsoft.com/kb/154596 Dave From: Free, Bob [mailto:r...@pge.com] Sent: Wednesday, December 01, 2010 1:14 PM To: NT System Admin Issues Subject: RE: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN > RPC normally uses random ports above 1024 for specific RPC communications Since OP was talking about 2008 R2 it's noteworthy that In 2K8 & above the RPC range (AKA RPC randomly allocated high TCP ports) is from 49152-65535, not 1024-65535 From: VIPCS [mailto:vi...@stny.rr.com] Sent: Monday, November 29, 2010 7:57 PM To: NT System Admin Issues Subject: RE: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN Sidestepping the follow-on questions of whether a domain is appropriate in the first place, port 445 seems to be missing (it is used for some RPC functions), and possibly ports 137-139 (for NetBIOS). You should do a netstat -a -b -n to see what ports are open on the internal AD server, and also check the firewall logs to see what ports are being blocked when you try and authenticate (if you have not already). RPC normally uses random ports above 1024 for specific RPC communications between client/server applications, but there are registry changes that can restrict the range of ports used. Sincerely, Jeffrey and Mary Jane Harris VIPCS ________________________________ From: David Lum [mailto:david....@nwea.org] Sent: Monday, November 29, 2010 1:09 PM To: NT System Admin Issues Subject: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN I have a 2008 R2 server in a DMZ and I need it to authenticate it with our AD but it tells me "domain is not available. Per this article: http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in- a-perimeter-network-firewall-rules.aspx I have the following firewall ruled from the DMZ server --> inbound. RADIUS is not used. TCP/UDP 53 (DNS) --> DC's TCP 88 (Kerberos) --> DC's TCP 135 (RPC) --> DC's TCP/UDP 389 (LDAP) -- > DC's, RDS servers TCP/UDP 443 (SSL) --> DC's, RDS servers TCP/UDP 24158 (WMI) --> RDS servers * (I set this port to be fixed on the RDS servers) TCP 3389 (RDP) --> LAN TCP 5504 --> RDS Broker Do I also need to have TCP > 1024 opened up? I can't log into this system via a domain account. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
