> Well, I'm a bit "anal" on security. Me too. There a GREAT paper located at first.org ( http://first.org/resources/guides/#bp11 ). Basically a how-to for locking down a w2003 server in a DMZ. Word of caution. If you follow the steps word-for-word...you will lock down the box so tight, not even a west virginia teen-ager would complain. I have spent the better part of the last year building and rebuilding and documenting what works for us. I pretty much followed the paper with the exception of a few open source apps (ssh-server http://www.bitvise.com). I am almost finished with editing the paper. If you'd like my take, email me off-line. I have used nessus and nmap against it and from what I can see, it looks fairly secure...at least until the next expoit is uncovered :)
> > I've put Windows ADS servers in a DMZ before, but I used a UNIX > server as the KDC for authentication _seperate_ from them. It was in > another DMZ and _only_ port 88 was open to it from that DMZ or the > LAN. It was not straight-forward either (ADS doesn't like the KDC to > be on a non-ADS server), but despite what you might have read, it > _is_ possible. ;-> > > It really all depends on how much you want to protect your > authorization. Currently each machine is in a workgroup, not domain with no DC. They are essentially stand-alone servers. I disabled just about all the serivices I could without sacrificing useability. I went one step further to configure an IPSEC policy for limiting traffic ingress/egress. > Netscape Directory Server 7.1 is still available in binary format as > Fedora Directory Server 7.1 (or Red Hat Directory Server 7.1 as a > commercial option) from the Fedora Directory Server project here: > http://directory.fedora.redhat.com/wiki/Special:Download > > Otherwise, the newer Fedora Directory Server 1.0.2 release, which is > now a completely GPL/MPL licensed solution, has progressed to the > point that is works very well and is considered version 7.2 (possibly > the next Red Hat Directory Server product version number?). Only 2 > modules had to be changed for licensing reasons. I have not > personally used it yet though: > http://directory.fedora.redhat.com/wiki/Download > Thanks...I will search the Netscape / Fedora doc's > > I read in the DOC's that I need to tie OpenFiler into some sort of > > Authentication server, either LDAP, NIS, AD. Since I really don't > > see a point of adding another Windows server just for > > authentication, I was thinking (hoping) of using the > > Openfiler/CenTos box with LDAP. > > ??? > Are your Windows servers in the DMZ also ADS DCs? > If so, then why can't you just use them? No..explained above. No Domain trusts, trees, forests...etc > > You should be able to use at least NTLMv2 for authentication, if not > Kerberos (with some, additional setup), and then also LDAP access > (with minor, additional setup) for user/group mappings. Currently doing NTLMv2 after tweaking security policy in Local Security MMC. > > I don't want public/guest access, as most of the data will need > > to be protected from prying eyes. I read in another thread about > > allowing guest access...but limiting access based on machine, and > > not some UID/GID. In this case I presume LDAP would not be used. > > Correct. Share-level access can be protected in such a way. Thanks again. Since I just finished loading a test box with OpenFiler, I will look at share level access first before implementing LDAP on the OpenFiler box. ~Don _______________________________________________ Openfiler-users mailing list [email protected] https://lists.openfiler.com/mailman/listinfo/openfiler-users
