Re: ISA 2004 Security issue

• From: "Greg Mulholland" <greg@xxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 16 Dec 2005 16:43:51 +1100

Agreed! that is how i have been doing my ISA implementations for a while. I 
generally have an idea about what needs to go to where and when but i just feel 
better knowing i havent got Kerberos running from my dmz to the internal 
network. 
 
Greg Mulholland

________________________________

From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
Sent: Fri 16/12/2005 4:06 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA 2004 Security issue



http://www.ISAserver.org

P.S.-

A good way for you to hone down your rules is to start with nothing, and to
attempt whatever access you want from whatever application you are working
with while watching your ISA "live" monitor.   You'll see what is denied,
and from there you can allow protocols in "steps" until it works.

t

-----
"I may disapprove of what you say,
but I will defend to the death your
right to say it."


----- Original Message -----
From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, December 15, 2005 7:56 PM
Subject: [isalist] Re: ISA 2004 Security issue


> http://www.ISAserver.org
>
> Ouch... That's kinda dangerous.. To use a UNC share from the DMZ, you'll
> have to allow NetBIOS sessions from the DMZ to the internal network as
> well as at least LDAP and Kerberos from the DMZ to the Domain Controllers.
> You might get by with CIFS but I'm not sure.  In addition, any compromise
> of the DMZ will yield a credential usable on the internal network.  Not
> really cool...
>
> Is there no better way for you to isolate the DMZ web server completely?
> How often does internal content change?  It would be WAY better to come up
> with a process that updates the DMZ content from the Internal server when
> necessary...
>
> t
>
> -----
> "I may disapprove of what you say,
> but I will defend to the death your
> right to say it."
>
>
> ----- Original Message -----
> From: "Prashanth" <prashanth@xxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Thursday, December 15, 2005 7:33 PM
> Subject: [isalist] ISA 2004 Security issue
>
>
>> http://www.ISAserver.org
>>
>> Hi,
>> The web server (IIS 6.0,Windows 2003+sp1) is connected to ISA 2004 DMZ
>> interface.
>>
>> The file server(windows 2003+sp1) is located at ISA 2004 inside
>> interface.
>>
>> The virtual directory in the default website is pointing to a share
>> folder
>> located at the file server.
>>
>> i cannot browse using UNC path from web server pointing file server.
>>
>> Pls let me know what ports i need to open between isa DMZ & inside
>> interface.
>>
>> web server IP:172.16.224.2
>> file server IP : 172.16.0.2
>>
>> from web server cannot see directory listing ie. \\172.16.0.2\shared
>> folder
>>
>> Need help
>>
>> Regards,
>> Prashanth
>>
>>
>> ------------------------------------------------------
>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> ------------------------------------------------------
>> Visit TechGenix.com for more information about our other sites:
>> http://www.techgenix.com
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion List as:
>> thor@xxxxxxxxxxxxxxx
>> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
greg@xxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » ISA 2004 Security issue
• » Re: ISA 2004 Security issue
• » Re: ISA 2004 Security issue
• » Re: ISA 2004 Security issue

1. Home
2. isalist
3. Archive
4. 12-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---