[isalist] Re: New Articles on Tales
- From: Greg Mulholland <greg@xxxxxxxxxxxxxx>
- To: ISA Mailing List <isalist@xxxxxxxxxxxxx>
- Date: Sun, 16 Aug 2009 20:12:28 -0300
For my 2c i read the deployment scenarios for Exchange with Interest and came
to the conclusion that without re-drawing our security policy (which we clearly
don't have the inkling, need or time to do) that we would have to define a
model to fit the within our environment. Personally i would way up the pro's
and cons of a DM vs WG solution and choose the best fit for our environment.
Having said that i cant remember seeing a DM type scenario deployed at the edge
that didn't open a greater attack surface then using WG and securing
connections to the LAN using other methods. he benefits of management to me is
a side issue and is not really the basis for which i make my security related
deployments. Maybe i am lucky that i can afford to look at the security posture
first and design from there others may not be so lucky but that's how i roll.
Basically it came down to does the supported deployment scenarios fit into our
security model and if so then that's how we do it. If not then we look at using
a custom made edge solution (which we currently use) and they wont get an edge
license out of us!.
Greg
________________________________________
From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On Behalf Of
Thor (Hammer of God) [thor@xxxxxxxxxxxxxxx]
Sent: Monday, 17 August 2009 6:46 AM
To: ISA Mailing List
Subject: [isalist] Re: New Articles on Tales
http://www.ISAserver.org
-------------------------------------------------------
In line:
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Sunday, August 16, 2009 12:49 PM
To: ISA Mailing List
Subject: [isalist] Re: New Articles on Tales
http://www.ISAserver.org
-------------------------------------------------------
Answer to Han, take 2:
It's actually not a contradiction at all (and adding it to the Q&A makes sense).
There are perfectly good reasons (tinfoil hat crowd excepted <VBG>) for
choosing either WG or DM deployment for either TMG or Exch Edge.
The decision to choose one or the other has to be taken in the context of your
own deployment, the business needs and the threat model you apply to them. Do
various people feel strongly about placing DM at the edge of the network? - you
betcha and that's not about to change anytime soon.
1. Exch Edge role *alone* as a DM offers a potentially larger network attack
surface because the Windows firewall (as good as it is) is still not as
"application intelligent" as TMG. The counter-argument that deploying it as a
WG reduces the extended attack surface (you didn't think "attack surface" was
limited to the computer under evaluation, did you?) to your AD is true, but in
this specific case, this point is offset by the fact that you're replicating
accounts to the local ADAM (LDS, for WS08) instance. Thus, a compromised Exch
Edge deployment still offers visibility into your user accounts, making auth
attacks that much easier to mount (depending on your password policies, of
course).
[Thor] - the local ADAM instance contains recipient email address information,
not account name information. Only if one had the email addresses the same as
the account names would this be an issue, which would exist in either case as
an individual would know account information based on organization emails.
DM/WG, Adam or not, does not impact the decision from a security standpoint.
Edge ADAM replication is based on LDP, not "full" AD authentication... If one
made the edge server a domain member, it would require far more protocols to be
opened to authentication servers, particularly if the goal is to simply
management, as outbound rules would have to be created as well, including
outbound auth, which *greatly* reduces security. This exists "outside" of the
Edge Role services.
[/Thor]
2. Exch Edge deployed concurrent with TMG offers the advantages of a much
smaller attack surface with the centralized management of all TMG-concurrent
Exch Edge servers. While it's true that any compromised edge-deployed DM offers
visibility into the AD structure, a TMG-concurrent Exch Edge deployment is less
threatened than an Exch Edge deployment by itself.
[Thor] *ANYTHING" deployed concurrently with TMG would offer those advantages.
This would be the case with or without domain membership, and is not bound to
server role. This example simply reduces the inherent risks of having the edge
server be a domain member when TMG is deployed concurrently, but does nothing
to substantiate any perceived benefits of the server being a domain member.
The same could be said for a web server, IIS box, or Quake server.
[/Thor]
3. Tom did an excellent job of thinking through the major issues with deploying
ISA as a DM in his article at isaserver.org
(http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html).
This should be part of your considerations when evaluating Exch Edge
deployments as well; especially tose that include TMG.
[Thor] "At no time shall my fingers leave my hand..." SQL server, when
deployed as domain member, has many benefits not offered by WG. But one cannot
simply say that Exchange Edge inherits the same type of benefits in the same
manner simply by also being a DM. Different services, different goals.
ISA/TMG being a domain member, and the benefits therein, have nothing to do
with Edge, as Edge doesn't do the same thing as TMG.
[/Thor]
If deploying Exch Edge on a DM causes a fault in your security model, then it's
also possible (maybe even likely) that deploying TMG as a DM has a similar
effect; especially when deploying them together on the same machine. This is a
perfect example is where the business needs and the threat model come together
to force decisions that contradict "best practices".
[Thor] Again, I disagree. TMG as a domain member allows for domain-based
authentication of rules to users and groups in multiple authentication/protocol
models. Edge does not benefit from membership choices. I really want to drive
this point home:
The TMG services themselves -- the role of the server itself -- offers
increased security options and methods when the server is a domain member.
Edge does not. There is nothing about the Edge services themselves that are
affected by the domain membership. DM or WG, you still have to provide an
account to LDAP for local adam if you choose to do so. Authentication
mechanism to hub transports are not affected, and rules need to be created on
your intra-edge box to support these mechanisms, irrespective of DM or WG. Can
you more easily *manage* the box? Sure - at the price of reduced security.
With or without ADAM, with or with TMG, there is nothing about deploying an
Exchange Edge server as a DM that increases the security of the role itself.
There are *several* security risks that ARE introduced by making it a DM such
as:
-Required authentication and management traffic into/out of the internal
network.
-Cached domain credentials on the server itself -- even if not cached, the
machine's account allows for leverage of exploitation on internal assets even
if a vulnerability requires authentication. Measures can be taken to reduce
these risks, but they MUST be taken if a DM, not so if a WG.
-Domain credentials/tokens will very likely be in memory and can be leveraged
by an attacker, particularly if someone is logged on to the console of the box,
or if services are running under domain credentials.
-any user anywhere in the forest, or trusted entities, will be an
"authenticated user."
In summary, making an Exchange Edge server (or any other edge asset) a domain
member, where doing so doesn't explicitly increase the security posture and/or
features of the core services, reduces overall security of the asset,
regardless of what bolt-on measures you put in place to mitigate those risks.
[/Thor]
t
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Han Valk
Sent: Saturday, August 15, 2009 11:54 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: New Articles on Tales
http://www.ISAserver.org
-------------------------------------------------------
As far as I know Exchange Edge is to be installed on a workgroup server while
TMG does its best job when domain joined. So this is a bit of a contradiction
to me. I would love to see guidance from Microsoft on that. Maybe this can be
added to the Q&A in Understanding Email Protection on TMG.
Han.
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Sunday, August 16, 2009 00:35
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] New Articles on Tales
>
> http://blogs.technet.com/isablog/archive/2009/08/15/new-tales-from-the-
> edge-articles.aspx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
