For my 2c i read the deployment scenarios for Exchange with Interest and came to the conclusion that without re-drawing our security policy (which we clearly don't have the inkling, need or time to do) that we would have to define a model to fit the within our environment. Personally i would way up the pro's and cons of a DM vs WG solution and choose the best fit for our environment. Having said that i cant remember seeing a DM type scenario deployed at the edge that didn't open a greater attack surface then using WG and securing connections to the LAN using other methods. he benefits of management to me is a side issue and is not really the basis for which i make my security related deployments. Maybe i am lucky that i can afford to look at the security posture first and design from there others may not be so lucky but that's how i roll. Basically it came down to does the supported deployment scenarios fit into our security model and if so then that's how we do it. If not then we look at using a custom made edge solution (which we currently use) and they wont get an edge license out of us!. Greg ________________________________________ From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) [thor@xxxxxxxxxxxxxxx] Sent: Monday, 17 August 2009 6:46 AM To: ISA Mailing List Subject: [isalist] Re: New Articles on Tales http://www.ISAserver.org ------------------------------------------------------- In line: -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Sunday, August 16, 2009 12:49 PM To: ISA Mailing List Subject: [isalist] Re: New Articles on Tales http://www.ISAserver.org ------------------------------------------------------- Answer to Han, take 2: It's actually not a contradiction at all (and adding it to the Q&A makes sense). There are perfectly good reasons (tinfoil hat crowd excepted <VBG>) for choosing either WG or DM deployment for either TMG or Exch Edge. The decision to choose one or the other has to be taken in the context of your own deployment, the business needs and the threat model you apply to them. Do various people feel strongly about placing DM at the edge of the network? - you betcha and that's not about to change anytime soon. 1. Exch Edge role *alone* as a DM offers a potentially larger network attack surface because the Windows firewall (as good as it is) is still not as "application intelligent" as TMG. The counter-argument that deploying it as a WG reduces the extended attack surface (you didn't think "attack surface" was limited to the computer under evaluation, did you?) to your AD is true, but in this specific case, this point is offset by the fact that you're replicating accounts to the local ADAM (LDS, for WS08) instance. Thus, a compromised Exch Edge deployment still offers visibility into your user accounts, making auth attacks that much easier to mount (depending on your password policies, of course). [Thor] - the local ADAM instance contains recipient email address information, not account name information. Only if one had the email addresses the same as the account names would this be an issue, which would exist in either case as an individual would know account information based on organization emails. DM/WG, Adam or not, does not impact the decision from a security standpoint. Edge ADAM replication is based on LDP, not "full" AD authentication... If one made the edge server a domain member, it would require far more protocols to be opened to authentication servers, particularly if the goal is to simply management, as outbound rules would have to be created as well, including outbound auth, which *greatly* reduces security. This exists "outside" of the Edge Role services. [/Thor] 2. Exch Edge deployed concurrent with TMG offers the advantages of a much smaller attack surface with the centralized management of all TMG-concurrent Exch Edge servers. While it's true that any compromised edge-deployed DM offers visibility into the AD structure, a TMG-concurrent Exch Edge deployment is less threatened than an Exch Edge deployment by itself. [Thor] *ANYTHING" deployed concurrently with TMG would offer those advantages. This would be the case with or without domain membership, and is not bound to server role. This example simply reduces the inherent risks of having the edge server be a domain member when TMG is deployed concurrently, but does nothing to substantiate any perceived benefits of the server being a domain member. The same could be said for a web server, IIS box, or Quake server. [/Thor] 3. Tom did an excellent job of thinking through the major issues with deploying ISA as a DM in his article at isaserver.org (http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html). This should be part of your considerations when evaluating Exch Edge deployments as well; especially tose that include TMG. [Thor] "At no time shall my fingers leave my hand..." SQL server, when deployed as domain member, has many benefits not offered by WG. But one cannot simply say that Exchange Edge inherits the same type of benefits in the same manner simply by also being a DM. Different services, different goals. ISA/TMG being a domain member, and the benefits therein, have nothing to do with Edge, as Edge doesn't do the same thing as TMG. [/Thor] If deploying Exch Edge on a DM causes a fault in your security model, then it's also possible (maybe even likely) that deploying TMG as a DM has a similar effect; especially when deploying them together on the same machine. This is a perfect example is where the business needs and the threat model come together to force decisions that contradict "best practices". [Thor] Again, I disagree. TMG as a domain member allows for domain-based authentication of rules to users and groups in multiple authentication/protocol models. Edge does not benefit from membership choices. I really want to drive this point home: The TMG services themselves -- the role of the server itself -- offers increased security options and methods when the server is a domain member. Edge does not. There is nothing about the Edge services themselves that are affected by the domain membership. DM or WG, you still have to provide an account to LDAP for local adam if you choose to do so. Authentication mechanism to hub transports are not affected, and rules need to be created on your intra-edge box to support these mechanisms, irrespective of DM or WG. Can you more easily *manage* the box? Sure - at the price of reduced security. With or without ADAM, with or with TMG, there is nothing about deploying an Exchange Edge server as a DM that increases the security of the role itself. There are *several* security risks that ARE introduced by making it a DM such as: -Required authentication and management traffic into/out of the internal network. -Cached domain credentials on the server itself -- even if not cached, the machine's account allows for leverage of exploitation on internal assets even if a vulnerability requires authentication. Measures can be taken to reduce these risks, but they MUST be taken if a DM, not so if a WG. -Domain credentials/tokens will very likely be in memory and can be leveraged by an attacker, particularly if someone is logged on to the console of the box, or if services are running under domain credentials. -any user anywhere in the forest, or trusted entities, will be an "authenticated user." In summary, making an Exchange Edge server (or any other edge asset) a domain member, where doing so doesn't explicitly increase the security posture and/or features of the core services, reduces overall security of the asset, regardless of what bolt-on measures you put in place to mitigate those risks. [/Thor] t -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Han Valk Sent: Saturday, August 15, 2009 11:54 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: New Articles on Tales http://www.ISAserver.org ------------------------------------------------------- As far as I know Exchange Edge is to be installed on a workgroup server while TMG does its best job when domain joined. So this is a bit of a contradiction to me. I would love to see guidance from Microsoft on that. Maybe this can be added to the Q&A in Understanding Email Protection on TMG. Han. > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: Sunday, August 16, 2009 00:35 > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] New Articles on Tales > > http://blogs.technet.com/isablog/archive/2009/08/15/new-tales-from-the- > edge-articles.aspx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx