Perhaps a ring and not a room.... Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image001.png@01CA1F26.AF2E35E0] [cid:image002.jpg@01CA1F26.AF2E35E0] From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jerry Young Sent: Monday, August 17, 2009 10:12 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: New Articles on Tales Damn, guys... think maybe you should have gotten a room? :) And here I thought all of yas were BFFs. :D Thor, I never took offense at what Jim was driving at (maybe I'm thick skinned??). I certainly didn't take it as "people who think installing Edge (or anything) as a WG instead of a DM are a 'tinfoil hat crowd'". I interpreted it (perhaps added to it??) as "people who think you must always, absolutely, are completely ignorant and stupid for not installing as a WG instead of a DM are a 'tinfoil hat crowd'". The simple fact of the matter is that very few small/medium businesses are mature when it comes to security. I don't have any supporting numbers but my guess would be that most run in an Internet, Edge, Lan topology, if that. My current client is a financial company that manages around $11 billion in capital resources. If I went to the CIO and said that they must build out a fully fledged, edge completely separated, traffic tightly controlled edge network topology and took serious issue with them for not doing so, I wouldn't keep them as a client for long. The best I can possibly do is simply warn them of their risks (which I have) and work with them as they mature to make it more secure. I got clobbered for being hardnosed about making an App Pool identity for a web application accessible from the Internet an Administrator of the local server, which was a domain member! And I mean clobbered! The client's need for usability outweighed their perceived need for security in that instance and I was told to, not so kindly, go pound sand. While your reasoning for how making a box a DM reduces security provides some solid examples, "security-adverse" users might respond as follows: -Required authentication and management traffic into/out of the internal network. How is this a risk? How is it quantifiable? Can a successful attack be demonstrated? Would an attacker find the effort worth the end results? How else might this be mitigated, aside from simply making the machine a WG member? -Cached domain credentials on the server itself -- even if not cached, the machine's account allows for leverage of exploitation on internal assets even if a vulnerability requires authentication. Measures can be taken to reduce these risks, but they MUST be taken if a DM, not so if a WG. What would it take to exploit this and can a successful attack be demonstrated? How are local cached credentials any more secure than domain cached credentials? If hacked, the box still provides a platform for futher attacks, even if a potential key to the domain isn't there. What would be the complete set of steps to use to mitigate this risk, aside from making the machine a WG member? -Domain credentials/tokens will very likely be in memory and can be leveraged by an attacker, particularly if someone is logged on to the console of the box, or if services are running under domain credentials. Again, how is this quantifiable? Can a successful attack be demonstrated? -any user anywhere in the forest, or trusted entities, will be an "authenticated user." Can't this default behavior be changed with regards to what an authenticated user has access to? Wouldn't it make more sense to understand the rights users need based on roles and assign accessibilty accordingly rather than dumping the box in its own WG? Regardless of the side I take on the usability versus security argument, however, I am always told to prove by demonstration my stance. That's the frustrating part! And that's why people like me look to Microsoft (or any vendor) who provides software for specific guidance. So, while I found the exchange here entertaining, it really didn't help me out too much; I saw reflected my own struggles with exploring and explaining the usability/security relationship. I do like the idea of fleshing out some of the scenarios you and Jim traded, however, as samples of when to use which approach; what I think might be helpful to the community at large is to put together a list of risks and methods of mitigation. Then you simply let the clients choose which best fits their needs and budget. Just my $.02, which isn't worth much, I know. ;) On Mon, Aug 17, 2009 at 8:40 AM, Amy Babinchak <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx<mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>> wrote: http://www.ISAserver.org<http://www.isaserver.org/> ------------------------------------------------------- Doesn't matter really. The point is that Microsoft has a released firewall product called TMG with the EE installed on the domain member server. It's the same enough. thanks, Amy Babinchak Harbor Computer Services | 248-850-8616 | Mobile 248-890-1794 Phone Number: 248-850-8616 Web http://www.harborcomputerservices.net<http://www.harborcomputerservices.net/> Client Blog http://smalltechnotes.blogspot.com<http://smalltechnotes.blogspot.com/> Tech Blog http://securesmb.harborcomputerservices.net<http://securesmb.harborcomputerservices.net/> Buy My House: http:// www.HomesByOwner.com/15490<http://www.homesbyowner.com/15490> Are you an IT Pro? http://www.thirdtier.net<http://www.thirdtier.net/> -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Steve Moffat Sent: Monday, August 17, 2009 8:38 AM To: ISA Mailing List Subject: [isalist] Re: New Articles on Tales http://www.ISAserver.org<http://www.isaserver.org/> ------------------------------------------------------- Not the same TMG.... -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Amy Babinchak Sent: Monday, August 17, 2009 9:35 AM To: ISA Mailing List Subject: [isalist] Re: New Articles on Tales http://www.ISAserver.org<http://www.isaserver.org/> ------------------------------------------------------- Microsoft has a released product where the TMG (with EBS) also running the Exchange 2007 Edge role is a domain member. thanks, Amy Babinchak Harbor Computer Services | 248-850-8616 | Mobile 248-890-1794 Phone Number: 248-850-8616 Web http://www.harborcomputerservices.net<http://www.harborcomputerservices.net/> Client Blog http://smalltechnotes.blogspot.com<http://smalltechnotes.blogspot.com/> Tech Blog http://securesmb.harborcomputerservices.net<http://securesmb.harborcomputerservices.net/> Buy My House: http:// www.HomesByOwner.com/15490<http://www.homesbyowner.com/15490> Are you an IT Pro? http://www.thirdtier.net<http://www.thirdtier.net/> -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Han Valk Sent: Monday, August 17, 2009 1:37 AM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: New Articles on Tales http://www.ISAserver.org<http://www.isaserver.org/> ------------------------------------------------------- Ok I understand, that still leaves the point that some 'official' guidance from Microsoft would be nice. Han. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Jim Harrison [Jim@xxxxxxxxxxxx<mailto:Jim@xxxxxxxxxxxx>] Sent: Sunday, August 16, 2009 4:32 PM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: New Articles on Tales http://www.ISAserver.org<http://www.isaserver.org/><http://www.isaserver.org/> ------------------------------------------------------- There is no "always" or "never" to either of them. It's situational and requires that the deployment team perform their own threat modeling. Exchange supports placing the edge role on a WG server to appease the "no domain members at the edge" tinfoil hat crowd, but when you combine it with TMG, the attack surface and thus the perceived threat of having the Exch edge role as a domain member is greatly reduced; even over that offered by Windows Firewall policies. Jim -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Han Valk Sent: Saturday, August 15, 2009 11:54 PM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: New Articles on Tales http://www.ISAserver.org<http://www.isaserver.org/><http://www.isaserver.org/> ------------------------------------------------------- As far as I know Exchange Edge is to be installed on a workgroup server while TMG does its best job when domain joined. So this is a bit of a contradiction to me. I would love to see guidance from Microsoft on that. Maybe this can be added to the Q&A in Understanding Email Protection on TMG. Han. > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> > [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] > On Behalf Of Jim Harrison > Sent: Sunday, August 16, 2009 00:35 > To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> > Subject: [isalist] New Articles on Tales > > http://blogs.technet.com/isablog/archive/2009/08/15/new-tales-from-the > - > edge-articles.aspx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com<http://www.techgenix.com/><http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com<http://www.techgenix.com/><http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com<http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> -- ExchangeDefender Message Security: Click below to verify authenticity http://www.exchangedefender.com/verify.asp?id=n7HCZOeB031684&from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com<http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com<http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> -- ExchangeDefender Message Security: Click below to verify authenticity http://www.exchangedefender.com/verify.asp?id=n7HChniQ000721&from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com<http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com ***