[isalist] Re: New Articles on Tales

  • From: Steven Comeau <scomeau@xxxxxxxxxxxxxxxxxx>
  • To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 17 Aug 2009 10:37:14 -0400

Perhaps a ring and not a room....

Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:image001.png@01CA1F26.AF2E35E0]
  [cid:image002.jpg@01CA1F26.AF2E35E0]




From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jerry Young
Sent: Monday, August 17, 2009 10:12 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: New Articles on Tales

Damn, guys... think maybe you should have gotten a room? :)

And here I thought all of yas were BFFs. :D

Thor, I never took offense at what Jim was driving at (maybe I'm thick 
skinned??).  I certainly didn't take it as "people who think installing Edge 
(or anything) as a WG instead of a DM are a 'tinfoil hat crowd'".  I 
interpreted it (perhaps added to it??) as "people who think you must always, 
absolutely, are completely ignorant and stupid for not installing as a WG 
instead of a DM are a 'tinfoil hat crowd'".

The simple fact of the matter is that very few small/medium businesses are 
mature when it comes to security.  I don't have any supporting numbers but my 
guess would be that most run in an Internet, Edge, Lan topology, if that.

My current client is a financial company that manages around $11 billion in 
capital resources.  If I went to the CIO and said that they must build out a 
fully fledged, edge completely separated, traffic tightly controlled edge 
network topology and took serious issue with them for not doing so, I wouldn't 
keep them as a client for long.  The best I can possibly do is simply warn them 
of their risks (which I have) and work with them as they mature to make it more 
secure.

I got clobbered for being hardnosed about making an App Pool identity for a web 
application accessible from the Internet an Administrator of the local server, 
which was a domain member!  And I mean clobbered!  The client's need for 
usability outweighed their perceived need for security in that instance and I 
was told to, not so kindly, go pound sand.

While your reasoning for how making a box a DM reduces security provides some 
solid examples, "security-adverse" users might respond as follows:

-Required authentication and management traffic into/out of the internal 
network.
How is this a risk?  How is it quantifiable?  Can a successful attack be 
demonstrated?  Would an attacker find the effort worth the end results?  How 
else might this be mitigated, aside from simply making the machine a WG member?

-Cached domain credentials on the server itself -- even if not cached, the 
machine's account allows for leverage of  exploitation on internal assets even 
if a vulnerability requires authentication.  Measures can be taken to reduce 
these risks, but they MUST be taken if a DM, not so if a WG.
What would it take to exploit this and can a successful attack be demonstrated? 
 How are local cached credentials any more secure than domain cached 
credentials?   If hacked, the box still provides a platform for futher attacks, 
even if a potential key to the domain isn't there.  What would be the complete 
set of steps to use to mitigate this risk, aside from making the machine a WG 
member?

-Domain credentials/tokens will very likely be in memory and can be leveraged 
by an attacker, particularly if someone is logged on to the console of the box, 
or if services are running under domain credentials.
Again, how is this quantifiable?  Can a successful attack be demonstrated?

-any user anywhere in the forest, or trusted entities, will be an 
"authenticated user."
Can't this default behavior be changed with regards to what an authenticated 
user has access to?  Wouldn't it make more sense to understand the rights users 
need based on roles and assign accessibilty accordingly rather than dumping the 
box in its own WG?

Regardless of the side I take on the usability versus security argument, 
however, I am always told to prove by demonstration my stance.  That's the 
frustrating part!  And that's why people like me look to Microsoft (or any 
vendor) who provides software for specific guidance.

So, while I found the exchange here entertaining, it really didn't help me out 
too much; I saw reflected my own struggles with exploring and explaining the 
usability/security relationship.  I do like the idea of fleshing out some of 
the scenarios you and Jim traded, however, as samples of when to use which 
approach; what I think might be helpful to the community at large is to put 
together a list of risks and methods of mitigation.  Then you simply let the 
clients choose which best fits their needs and budget.

Just my $.02, which isn't worth much, I know. ;)
On Mon, Aug 17, 2009 at 8:40 AM, Amy Babinchak 
<amy@xxxxxxxxxxxxxxxxxxxxxxxxxx<mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>> wrote:
http://www.ISAserver.org<http://www.isaserver.org/>
-------------------------------------------------------

Doesn't matter really. The point is that Microsoft has a released firewall 
product called TMG with the EE installed on the domain member server. It's the 
same enough.

thanks,

Amy Babinchak

Harbor Computer Services | 248-850-8616 | Mobile 248-890-1794

Phone Number: 248-850-8616

Web   
http://www.harborcomputerservices.net<http://www.harborcomputerservices.net/>
Client Blog   
http://smalltechnotes.blogspot.com<http://smalltechnotes.blogspot.com/>
Tech Blog   
http://securesmb.harborcomputerservices.net<http://securesmb.harborcomputerservices.net/>

Buy My House: http:// 
www.HomesByOwner.com/15490<http://www.homesbyowner.com/15490>

Are you an IT Pro?  http://www.thirdtier.net<http://www.thirdtier.net/>


-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Steve Moffat
Sent: Monday, August 17, 2009 8:38 AM
To: ISA Mailing List
Subject: [isalist] Re: New Articles on Tales

http://www.ISAserver.org<http://www.isaserver.org/>
-------------------------------------------------------

Not the same TMG....

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Amy Babinchak
Sent: Monday, August 17, 2009 9:35 AM
To: ISA Mailing List
Subject: [isalist] Re: New Articles on Tales

http://www.ISAserver.org<http://www.isaserver.org/>
-------------------------------------------------------

Microsoft has a released product where the TMG (with EBS) also running the 
Exchange 2007 Edge role is a domain member.

thanks,

Amy Babinchak

Harbor Computer Services | 248-850-8616 | Mobile 248-890-1794

Phone Number: 248-850-8616

Web   
http://www.harborcomputerservices.net<http://www.harborcomputerservices.net/>
Client Blog   
http://smalltechnotes.blogspot.com<http://smalltechnotes.blogspot.com/>
Tech Blog   
http://securesmb.harborcomputerservices.net<http://securesmb.harborcomputerservices.net/>

Buy My House: http:// 
www.HomesByOwner.com/15490<http://www.homesbyowner.com/15490>

Are you an IT Pro?  http://www.thirdtier.net<http://www.thirdtier.net/>

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Han Valk
Sent: Monday, August 17, 2009 1:37 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: New Articles on Tales

http://www.ISAserver.org<http://www.isaserver.org/>
-------------------------------------------------------

Ok I understand, that still leaves the point that some 'official' guidance from 
Microsoft would be nice.

Han.

________________________________
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf 
Of Jim Harrison [Jim@xxxxxxxxxxxx<mailto:Jim@xxxxxxxxxxxx>]
Sent: Sunday, August 16, 2009 4:32 PM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: New Articles on Tales

http://www.ISAserver.org<http://www.isaserver.org/><http://www.isaserver.org/>
-------------------------------------------------------

There is no "always" or "never" to either of them. It's situational and 
requires that the deployment team perform their own threat modeling.
Exchange supports placing the edge role on a WG server to appease the "no 
domain members at the edge" tinfoil hat crowd, but when you combine it with 
TMG, the attack surface and thus the perceived threat of having the Exch edge 
role as a domain member is greatly reduced; even over that offered by Windows 
Firewall policies.

Jim

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Han Valk
Sent: Saturday, August 15, 2009 11:54 PM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: New Articles on Tales

http://www.ISAserver.org<http://www.isaserver.org/><http://www.isaserver.org/>
-------------------------------------------------------

As far as I know Exchange Edge is to be installed on a workgroup server while 
TMG does its best job when domain joined. So this is a bit of a contradiction 
to me. I would love to see guidance from Microsoft on that. Maybe this can be 
added to the Q&A in Understanding Email Protection on TMG.

Han.


> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>
> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>]
> On Behalf Of Jim Harrison
> Sent: Sunday, August 16, 2009 00:35
> To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
> Subject: [isalist] New Articles on Tales
>
> http://blogs.technet.com/isablog/archive/2009/08/15/new-tales-from-the
> -
> edge-articles.aspx

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com<http://www.techgenix.com/><http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx>


------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com<http://www.techgenix.com/><http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx>

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com<http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx>


--
ExchangeDefender Message Security: Click below to verify authenticity 
http://www.exchangedefender.com/verify.asp?id=n7HCZOeB031684&from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com<http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx>

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com<http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx>


--
ExchangeDefender Message Security: Click below to verify authenticity
http://www.exchangedefender.com/verify.asp?id=n7HChniQ000721&from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com<http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx>



--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer

***  This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be 
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses.  The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com ***

PNG image

JPEG image

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 08-2009