+1 A one-way trust, where the domain is trusted by the DMZ is a better compromise, so you can pull data from the DMZ into the interior, but nothing in the DMZ can initiate communication to the interior.
*the nature of the trust says that the DMZ must have some access to know 'what' to trust, so still not a perfect solution. Erik Goldoff IT Consultant Systems, Networks, & Security ' Security is an ongoing process, not a one time event ! ' -----Original Message----- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, January 07, 2011 1:12 AM To: NT System Admin Issues Subject: Re: AD and firewall ports We disagree, and with your vast weight of experience, you carry the day. Or perhaps I'm just tired of battling. Whichever, I'm done. I'll stand by my statement that opening up the firewall in the proposed fashion is a very stupid decision, because it doesn't solve the proposed problem - you might as well not have a firewall at all. Either the machine is trusted, and can sit inside the soft chewy center alongside the DC(s) and other machines, or it isn't trusted, and you need to firewall it, and not allow it to reach inside the network in the proposed fashion. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin