[isalist] Re: New Articles on Tales
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: ISA Mailing List <isalist@xxxxxxxxxxxxx>
- Date: Sun, 16 Aug 2009 13:14:15 -0300
http://www.ISAserver.org
-------------------------------------------------------
Doing anything "ill-informed" in not advisable. Specifically to this example,
an ill-informed person making an Edge role server a domain member is just as
bad as an ill-informed person making the server a WG member.
I'm commenting on the fact that Jim specifically stated that those who are
concerned about the security of a domain member on edge assists are members of
a "tinfoil hat crowd," and that he did so without offering any technical reason
as to why. Obliviously, if a given security method increases security, then
(as you said), do it. If there are vampires in your server room, then hang
garlic on your rack. But the automatic classification of a particular
deployment method as paranoid or foolish is just as bad as the classification
itself.
I'll throw it over to you as well then: How does making your Exchange Edge
role server (obviously, deployed on the edge, and 'edge' meaning external, on
the Internet side of your DMZ) improve your overall security posture?
t
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: Sunday, August 16, 2009 8:40 AM
To: ISA Mailing List
Subject: [isalist] Re: New Articles on Tales
http://www.ISAserver.org
-------------------------------------------------------
Ah, but just because idgets work in the enterprise and enforce their
ill-informed opinion doensn't make it "right" or "better". From what I've seen,
they have a checkbox in which to place a checkmark, and that's about it. If you
try to enter a discussion about how domain members at the edge aren't the
security issue their collective incubi scared them about, you get a blank face.
There are lots of things I see in the "real world" that don't qualify was
thoughtful, best practices or otherwise outright thoughtless.
Sure, if there's no reason to make something a domain member don't. But if you
improve your *overall* security posture by doing so, then do it. It's just a
matter of looking at all the pieces, not just the checkbox.
In spite of all this, you're still kind of a big deal ;)
____________________________________________
TOM SHINDER | Sr. Consultant/Technical Writer
206.443.1117 | SHINDER@xxxxxxxxxxxxxxx
5701 Sixth Avenue South | Seattle, WA 98108
PROWESS | WWW.PROWESSCORP.COM
____________________________________________
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of
> Thor (Hammer of God)
> Sent: Sunday, August 16, 2009 10:14 AM
> To: ISA Mailing List
> Subject: [isalist] Re: New Articles on Tales
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> It is *hardly* a tinfoil hat crowd. It's called "security in depth" and
> "least privilege."
> The local ADAM instance provides the necessary functionality to the edge role
> server,
> thus reducing some of the REAL threats and the perceived benefit of making it
> a
> domain member. Exchange Edge doesn't "support" WG membership, it is
> specifically
> designed to provide that functionality based on "real word" issues that are
> present in
> true enterprise topologies.
>
> Do whatever you want to do to suit your needs, but don't call people who have
> to
> consider the security ramifications of infrastructure designs beyond "mom and
> pop"
> as "tinfoil hat crowd." It's insulting.
>
> t
>
>
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of
> Jim Harrison
> Sent: Sunday, August 16, 2009 7:32 AM
> To: ISA Mailing List
> Subject: [isalist] Re: New Articles on Tales
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> There is no "always" or "never" to either of them. It's situational and
> requires that the
> deployment team perform their own threat modeling.
> Exchange supports placing the edge role on a WG server to appease the "no
> domain
> members at the edge" tinfoil hat crowd, but when you combine it with TMG, the
> attack
> surface and thus the perceived threat of having the Exch edge role as a domain
> member is greatly reduced; even over that offered by Windows Firewall
> policies.
>
> Jim
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of
> Han Valk
> Sent: Saturday, August 15, 2009 11:54 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: New Articles on Tales
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> As far as I know Exchange Edge is to be installed on a workgroup server while
> TMG
> does its best job when domain joined. So this is a bit of a contradiction to
> me. I would
> love to see guidance from Microsoft on that. Maybe this can be added to the
> Q&A in
> Understanding Email Protection on TMG.
>
> Han.
>
>
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Jim Harrison
> > Sent: Sunday, August 16, 2009 00:35
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] New Articles on Tales
> >
> > http://blogs.technet.com/isablog/archive/2009/08/15/new-tales-from-the-
> > edge-articles.aspx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
