Yeh; dammit; it's Jenyus... ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Friday, October 28, 2005 17:29 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Domain on Edge http://www.ISAserver.org You spelled "genius" wrong.... bwaahahaha! Sorry man, I had to. ;) ----- Original Message ----- From: "Joseph Danielsen" <JDanielsen@xxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, October 27, 2005 10:09 PM Subject: [isalist] RE: Domain on Edge http://www.ISAserver.org Brother - you can say that again! At 11:30pm, I get a second wind and can't fall asleep (especially after a bad (network) day). At the firehouse, we call this GENIOUS hour. Later it gets, smarter we become. Also, you see, I've learned EVERYTHING for fudging through, trial and error, screwing up network services and blaming defenseless people not present to argue...... and I get it all done in the end without reading any books, articles, lists or even HELP. Expert I tell you. I've gotten so good - I want to teach other people how to do it just like me..... so I'm writing the book now. :) (I kill myself) Seriously, thank you very much for the excellent material below. My standing ISA 2004 is in Workgroup - is it painful to change it to Domain mode. Also please forward a mailing address for the cigars. Joseph F. Danielsen, MCSA-Messaging, MCP Network Blade Inc. 49 Marcy Street Somerset, NJ 08873 (732) 213-0600 www.NetworkBlade.Com -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Friday, October 28, 2005 12:43 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Domain on Edge http://www.ISAserver.org Hi Joseph, LOL! Man, you are a late night guy, aren't you? You're an hour ahead of me, so its after midnight. Must be all that crank, eh? :) Thanks for getting the book! Funny you should ask such a question. I had planned such an article, but other things came up and it never got done. Can I trade the Beer of the Month Club for Cigar of the Month? My wife want let me bring beer into the house. Jim can even confirm that! Here was an outline I drew on a cocktail party napkin after waiting until 2AM for the girls to think that men looked better at that time. Always make me think girls look better at that time. So here you go -- take it for what its worth: Increasing ISA Firewall Security by Joining the domain Advantages of domain membership: * Transparent authentication for Web proxy and Firewall clients * Integrated authentication for Web proxy and Firewall clients * User name, application and machine names logging in the ISA firewall's log files * Full support for user certificate authentication at the ISA firewall * Pre-authenticate users at the ISA firewall and avoid dual authentication prompts * Use the certificates MMC to obtain machine certificate and CA certificate * Avoid the use of RADIUS authentication * Avoid the use of basic authentication * Avoid the use of SecureNAT client configuration * Support for all protocols, including those requiring secondary connections * Support for all protocols, without requiring them to be defined as an ISA firewall Protocol Definition * Improved management from using ISA firewall OUs * Greatly simplified management of ISA EE arrays * Enable ISA firewall Enterprise configurations * Deploy Enterprise Policies to multiple arrays * ISA EE multiple CSS locations Disadvantages of non-domain membership: * Must mirror user accounts on the ISA firewall * Must use RADIUS * Encourages the use of basic authentication * May require IPSec for client/server communications * Limited support for user names in log files * Limited support for computer name in log file * Limited support for application name in log file * Unable to use the Certificates MMC to obtain cert * CA certificate not automatically added Trusted Root machine store * Unable to authenticate with user certificate authentication * Unable to authenticate users at the ISA firewall without generating dual authentication prompts * No support for ISA firewall Enterprise configurations * Unable to support Enterprise policies for multiple arrays * Limited to a single CSS - no CSS replication or fault tolerance What are the imagined risks of domain membership? * No one has said * LSADump? Try it on a Windows Server 2003 ISA firewall and see what happens * Rainbow tables? Require passphrases. But Rainbow tables do not allow access to the Active Directory database from the ISA firewall. * Enable LDAP connections to the DCs? How would the intruder do it? They would need to "own" the ISA firewall, install their tools, and then control the tool from a remote location. What if the ISA firewall weren't a domain member? They have control of the firewall, so they sniff traffic, find the DCs, configure the firewall to allow LDAP connections, and away you go. * Key concept is that if the firewall is "owned" to that extent, the attacker can install whatever tools he likes. Network sniffers gather password hashers, clear text passwords, machine names, NetBIOS broadcasts, DNS queries, etc. Attacker can also install sniffer or IDS software, and replay sessions. It doesn't matter if the machine is a domain member or workgroup member - same tools work on both types of deployment * No proof of concept demonstrated at this time * Can't leverage permissions of logged on user, since the firewall doesn't have logged on users. * Misconfigured firewalls of any type are the primary cause of firewall related compromises. The more difficult it is to configure the firewall, the more likely that there will be a misconfiguration. * Is the difference that an attacker will be able to compromise domain accounts more quickly? What is the delta? Conclusions: * Domain membership increases the firewall's overall security posture * Workgroup membership reduces the firewall's overall security posture * If you're superstitious or afraid of falling pieces from passing airplanes, then put on a psychotronic reflector beanie and deploy domain member firewalls only when there is obvious benefit * Examples of ISA firewalls that benefit from domain membership those that have interfaces directly on user networks * Examples of ISA firewalls that don't benefit form domain membership are those that don't abut user networks, such as front-end ISA firewalls in back to back configs, or those that won't authenticate domain users at any time. * This is not meant to be definitive or the last word on the subject. I'd be happy to publish any papers describing proof of concept attacks that work only on domain member ISA firewalls but fail on workgroup member ISA firewalls. Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls **Who is John Galt?** ________________________________ From: Joseph Danielsen [mailto:JDanielsen@xxxxxxxxxxxxxxxx] Sent: Thursday, October 27, 2005 11:02 PM To: [ISAserver.org Discussion List] Subject: [isalist] Domain on Edge http://www.ISAserver.org Is there any way you can provide me (via email or article) key points of putting ISA in Domain mode vs. Workgroup mode? (Tom - if an article doesn't exist for this topic, please schedule your weekend around completing this for Monday. Thank you sir J). ***There is a Beer of the Month Club membership with your name on it *** P.S. Coincidentally, I purchased your book this past Monday. Not that this would sway your decision or anything. Joseph F. Danielsen, MCSA-Messaging, MCP Network Blade Inc. 49 Marcy Street Somerset, NJ 08873 (732) 213-0600 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jdanielsen@xxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.