Well articulated James, I have a client who has been running sbs 2000 with isa installed and has never in all these years had a security breach tho' many have tried. There is no problem with a loaded sbs server, 2000 or 2003...as long as it's done right. Steve -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, July 27, 2004 3:44 PM To: Isa Weblist Subject: [isalist] RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer http://www.ISAserver.org Unscrew the top of your head and let some light in. It's exactly this sort of self-serving, elitist rhetoric that causes folks to feel like they "just can't do it". There isn't and never will be "just one right way" to do something. There are external factors that are not always controllable. Security is and will always be a balancing act between requirements, money and hardware resources. "Fast, Secure or cheap; choose two" is one of my favorite quotes. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "Troy Radtke" <TRadtke@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, July 27, 2004 06:31 Subject: [isalist] RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer http://www.ISAserver.org Which is why you'll never see anyone in their right mind running SBS who expects the same level of protection from a dedicated system. I forwarded that e-mail from Tom to the guys at work, and the first thing they did is say: Look at ISA! It's a piece of junk since you've gotta do a work around just to make stuff even work on the box! You never have that problem with a PIX! If you're boss won't look at the cost justification of buying a low end desktop to run a service, all I have to say to any financial institution is how much is the cost of an FDIC audit in terms of your labor? Pulling 50% of the IT staff into meetings with the FBI/FDIC/Secret Service (yes, the secret service is involved in these types of audits) for 2 months along with hiring a small army of people to produce all your audit trails for the past 7 years is by FAR more expensive than any server that I can think of.... What I was getting at in my first e-mail is that since you can't even install services on a PIX, you'd need to purchase or use another server anyways, which is why you should leave things off of an ISA box and just not even open yourself up to an service exploit..... Troy -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, July 27, 2004 12:16 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: 838376 - Cannot connect to a published service from the external network when the published service is running directly on the ISA Server 2004 computer http://www.ISAserver.org "Hardware"; thpthpthpthpthp Please drop this blatant BS; until it's implemented in the ASICs, it ain't "hardware". Facts: - Installing service on any machine is only as functional or secure as the person deploying / securing it. - There are folks with more motivation than $$ - These same folks need an answer, not attitude. - placing services on the firewall is not for the faint of heart; this is why the SBS folks spend years perfecting the compromise. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "Troy Radtke" <TRadtke@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Monday, July 26, 2004 09:10 Subject: [isalist] RE: 838376 - Cannot connect to a published service from the external network when the published service is running directly on the ISA Server 2004 computer http://www.ISAserver.org Installing services on your ISA box is like hiring a blind, deaf body guard and expecting him to walk you to the other side of the street..... Only bad things can happen..... Suggestion: The service you've installed can't be mission critical, otherwise you'd have a dedicated server..... BYOS (build your own @#(*$&)@(#*ing server) or put it on a cheap POJ (Piece of Junk) box.... Besides, I'd love to see someone try and install a service on a PIX box anyways...... so the hardware firewall people can't even bring this up as a 'flaw'...... even though i am a fan of hardware at the entrance for bulk processing of incoming/outgoing traffic...... -----Original Message----- From: Ray Dzek [mailto:rdzek@xxxxxxxxxxxxxxx] Sent: Monday, July 26, 2004 10:35 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: 838376 - Cannot connect to a published service from the external network when the published service is running directly on the ISA Server 2004 computer http://www.ISAserver.org They left out the most obvious solution, and the one which is usually the most correct... Move the service to something besides your firewall. Ray Dzek Network Operations Supervisor Specialized Bicycle Components -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Monday, July 26, 2004 7:10 AM To: [ISAserver.org Discussion List] Subject: [isalist] 838376 - Cannot connect to a published service from the external network when the published service is running directly on the ISA Server 2004 computer http://www.ISAserver.org Very interesting KB article and an issue that I'm sure will generate a lot of heat in the coming months. 838376 - Cannot connect to a published service from the external network when the published service is running directly on the ISA Server 2004 computer: http://support.microsoft.com/default.aspx?scid=kb;en-us;838376 <http://support.microsoft.com/default.aspx?scid=kb;en-us;838376> ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: steve@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist This E-Mail is confidential. It is not intended to be read, copied, disclosed or used by any person other than the recipient named above. Unauthorised use, disclosure, or copying is strictly prohibited and may be unlawful. Optimum IT Solutions disclaims any liability for any action taken in connection of this E-Mail. The comments or statements expressed in this E-Mail are not necessarily those of Optimum IT Solutions or its subsidiaries or affiliates. administrator@xxxxxxxxxxxxxxxxxxxxxxxxxx