Re: ISA 2004 Security issue

  • From: "Thor \(Hammer of God\)" <thor@xxxxxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 15 Dec 2005 21:06:02 -0800

P.S.-

A good way for you to hone down your rules is to start with nothing, and to attempt whatever access you want from whatever application you are working with while watching your ISA "live" monitor. You'll see what is denied, and from there you can allow protocols in "steps" until it works.

t

-----
"I may disapprove of what you say,
but I will defend to the death your
right to say it."


----- Original Message ----- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, December 15, 2005 7:56 PM
Subject: [isalist] Re: ISA 2004 Security issue


http://www.ISAserver.org

Ouch... That's kinda dangerous.. To use a UNC share from the DMZ, you'll have to allow NetBIOS sessions from the DMZ to the internal network as well as at least LDAP and Kerberos from the DMZ to the Domain Controllers. You might get by with CIFS but I'm not sure. In addition, any compromise of the DMZ will yield a credential usable on the internal network. Not really cool...

Is there no better way for you to isolate the DMZ web server completely? How often does internal content change? It would be WAY better to come up with a process that updates the DMZ content from the Internal server when necessary...

t

-----
"I may disapprove of what you say,
but I will defend to the death your
right to say it."


----- Original Message ----- From: "Prashanth" <prashanth@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, December 15, 2005 7:33 PM
Subject: [isalist] ISA 2004 Security issue


http://www.ISAserver.org

Hi,
The web server (IIS 6.0,Windows 2003+sp1) is connected to ISA 2004 DMZ
interface.

The file server(windows 2003+sp1) is located at ISA 2004 inside interface.

The virtual directory in the default website is pointing to a share folder
located at the file server.

i cannot browse using UNC path from web server pointing file server.

Pls let me know what ports i need to open between isa DMZ & inside
interface.

web server IP:172.16.224.2
file server IP : 172.16.0.2

from web server cannot see directory listing ie. \\172.16.0.2\shared
folder

Need help

Regards,
Prashanth


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx




------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx





Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 12-2005