Ahahahahahaha your so funny mr. hammerofgod :) Just because I was asleep doesn't mean you can poke fun... *runs crying to the sbs list* Greg Mulholland -----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Thursday, December 01, 2005 4:00 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Minimum Protocol Rules by Service Type List http://www.ISAserver.org Of course, regarding the standard publishing, I would indeed export it in human readable form... Getting it in Greg readable form is going to tough, though ;) t ----- "And yet, even if one person finds his way... that means there is a Way. Even if I personally fail to reach it." Mr. Nobusuke Tagomi Top Place, Ranking Imperial Trade Mission Pacific States of America ----- Original Message ----- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, November 30, 2005 8:42 AM Subject: [isalist] RE: Minimum Protocol Rules by Service Type List > http://www.ISAserver.org > > I still need to figure out how to properly archive this data-- I don't > think the standard Word doc is going to cut it-- it may, though. I'm > thinking something more like a database where you can pull up a > product/service and see all the different types of configurations > supported, each with its own protocol listing. For instance, regarding > SQL, I haven't even gotten to the MultiProtocol or Named Pipes > libraries... > > I'll handle all the standard Microsoft stuff... If anyone wants to tackle > other stuff (Like Cisco VPN, etc) that's cool. > > t > > > ----- > "And yet, even if one person finds his way... that means > there is a Way. Even if I personally fail to reach it." > > Mr. Nobusuke Tagomi > Top Place, Ranking Imperial Trade Mission > Pacific States of America > ----- Original Message ----- > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Wednesday, November 30, 2005 7:12 AM > Subject: [isalist] RE: Minimum Protocol Rules by Service Type List > > > http://www.ISAserver.org > > I figured you were about 35. So that makes you about 50 years younger > than me. > > Its would be fantastic to get this kind of contribution on the > ISAserver.org and we would be forever in your debt for it. I might have > to send you a case of Sambuca or something like that, or maybe I'll send > that to Jim and send you the Cisco and Night Train. > > If you're gonna do this in word docs, just use the Normal template using > the Normal View and paste the screen shots into the word doc directly. > I've got a method to batch convert all the imbedded graphics so no > problem there. > > Let me know if there's any non-SQL POC stuff you want me to test out :) > > Thanks! > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > >> -----Original Message----- >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] >> Sent: Tuesday, November 29, 2005 11:40 PM >> To: [ISAserver.org Discussion List] >> Subject: [isalist] RE: Minimum Protocol Rules by Service Type List >> >> http://www.ISAserver.org >> >> Heh... I'm younger anyway-- and not by much ;) >> >> Cool then... I'll make sure to not only document in a verbose >> manner, but to >> test each service in isolation (meaning, I won't test Exchange RPC >> requirements while having the SQL Authentication rules in place.) >> >> Yours, of course, would be the venue to publish-- you have >> established your >> site as the standard for ISA information-- no reason to work >> outside of >> that. Even if there was a reason, I still wouldn't do it ;) >> >> [pulling in Greg's post] >> >> Thanks dude-- this could get complex quickly, so I may need >> some help. I >> think a db-based "solutions bank" would make sense-- a main >> heading of the >> service, with sub-categories of access type (NTLM, Kerberos, >> Basic, etc) and >> stuff like that. This will be fun. >> >> So, I'm on it... Most of this will come from the actual >> deployment, which >> will be in the next couple of weeks after we rebuild our DMZ >> this coming >> weekend. >> >> Thanks guys. (And any nurturing females on the list) >> >> t >> >> ----- >> "And yet, even if one person finds his way... that means >> there is a Way. Even if I personally fail to reach it." >> Mr. Nobusuke Tagomi - Top Place, Ranking Imperial Trade >> Mission - Pacific >> States of America >> >> >> >> >> ----- Original Message ----- >> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> >> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> >> Sent: Tuesday, November 29, 2005 9:13 PM >> Subject: [isalist] RE: Minimum Protocol Rules by Service Type List >> >> >> http://www.ISAserver.org >> >> Hey Tim, >> >> This would be REALLY COOL. As far as I know, there's nothing like this >> out there. I have lot of articles covering specific >> scenarios, but none >> of them include SQL or backup agents, because A. I don't know squat >> about SQL and B. the herterogenrous backup agent evironment makes me >> avoidant because I know it'll generate requests for all the other >> vendors. >> >> However, you're younger, smarter and stronger than me, so you might be >> able to handle it -- or since your kids are still young, you're better >> able to resist requests for MORE. >> >> I've often thought of doing the same thing with my network, which is >> production full tilt for us. Four multihomed ISA firewall's serving >> three Internet links, three domains, Exchange 2003 (no cluster), >> SharePoint Portal Server, IIS sites, MOM, spam whackers, LCS, VoIP, >> Windows Media Services, blah blah blah. Lots of whacky POC stuff that >> I've never written about, but worked pretty neat, so I decided to keep >> it. Maybe I'll like yours so much I'll show mine too :) >> >> So, count me in as thinking this is a great idea. You'll >> introduce a ton >> of good stuff that's not out there yet! Let me know if want any help, >> comment, or whatever for this project. If its too long for the venues >> you usually publish in, you're welcome to put it up at >> ISAserver.org and >> use as many words, graphics and whatever you want. Maybe after that, I >> can suck you into becoming a regular author for the site >> :-))) We need >> a mensa kinda guy for the site, since we lost ours to >> Microsoft LCA. :( >> >> Tom >> >> Thomas W Shinder, M.D. >> Site: www.isaserver.org >> Blog: http://spaces.msn.com/members/drisa/ >> Book: http://tinyurl.com/3xqb7 >> MVP -- ISA Firewalls >> **Who is John Galt?** >> >> >> >> > -----Original Message----- >> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] >> > Sent: Tuesday, November 29, 2005 10:58 PM >> > To: [ISAserver.org Discussion List] >> > Subject: [isalist] Minimum Protocol Rules by Service Type List >> > >> > http://www.ISAserver.org >> > >> > Yo. >> > >> > In staying true to the concepts of least privilege and >> > security in depth, I >> > have been testing the minimum allowed protocols required to >> > support various >> > client-server services. The data I am collecting comes from >> > bottom-up, >> > step-by-step live protocol analysis-- this for two reasons: >> > I've not seen a >> > comprehensive list of "this is what you have to allow for X," >> > and of the >> > documentation I have seen, most of it includes catch-all protocol >> > recommendations rather than the minimum rules necessary. >> > >> > The reason I bring this up is to get a consensus from the >> > group on whether >> > or not I should document my findings in such a way as to publish the >> > results-- If something like this already exists, I don't want >> > to re-invent >> > the wheel. If not, I should heavily document my findings >> in order to >> > provide a comprehensive list. >> > >> > For instance- SQL authentication using "mixed mode >> > authentication" simply >> > requires a single "SQL Sever TCP 1433 Outbound" from the >> > client set to the >> > individual server. Integrated authentication via a standard >> > library client >> > (such as Query Analyzer) not only requires "SQL Server TCP >> > 1433 Outbound" to >> > the SQL host, but it also requires at least "Kerberos-Sec >> > (UDP)" (UDP 88 >> > Send Receive) and "LDAP (UDP)" (UDP 389 Send Receive) from >> > the client to the >> > domain controller set. More "robust" clients, such as MS >> > Access using a SQL >> > Library require a full LDAP (TCP 389) connection from the >> > client to the >> > domain controller set. While "LDAP (UDP)" may be forced, >> > projects digitally >> > signed with a certificate require the TCP connection based on >> > my testing. >> > This is the type of data I'm considering collecting for publication. >> > >> > The primary reason I am doing this is because my network >> > admin (John Wilson) >> > and I have decided to rebuild our entire infrastructure in a >> > *true* least >> > privilege environment. We will completely separate our >> entire server >> > infrastructure from all clients with an *internal* ISA 2004 >> > configured to >> > only allow the minimum protocols through on a host-by-host, >> > service-by-service, user-group by user-group basis. This >> > will not be a >> > test-- this will be in a total Microsoft production >> > environment: clustered >> > SQL servers, clustered Exchange servers, multiple domain >> > controllers ( group >> > policy deployments, certificate services, etc) NAS devices, >> > shared printers, >> > web services, backup agents, custom application >> > developments... the Full >> > Monty. I've never seen this done in a production environment >> > (though I've >> > heard many people postulate about it) so I'm kind of excited >> > about all of >> > this. >> > >> > So, the main question is: Does a resource like this already >> > exist somewhere? >> > I figga that if anyone would know, it would be the folks on >> this list. >> > >> > t >> > >> > >> > ------------------------------------------------------ >> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist >> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ >> > ------------------------------------------------------ >> > Visit TechGenix.com for more information about our other sites: >> > http://www.techgenix.com >> > ------------------------------------------------------ >> > You are currently subscribed to this ISAserver.org Discussion >> > List as: tshinder@xxxxxxxxxxxxxxxxxx >> > To unsubscribe visit >> > http://www.webelists.com/cgi/lyris.pl?enter=isalist >> > Report abuse to listadmin@xxxxxxxxxxxxx >> > >> > >> >> ------------------------------------------------------ >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist >> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ >> ------------------------------------------------------ >> Visit TechGenix.com for more information about our other sites: >> http://www.techgenix.com >> ------------------------------------------------------ >> You are currently subscribed to this ISAserver.org Discussion >> List as: >> thor@xxxxxxxxxxxxxxx >> To unsubscribe visit >> http://www.webelists.com/cgi/lyris.pl?enter=isalist >> Report abuse to listadmin@xxxxxxxxxxxxx >> >> >> >> ------------------------------------------------------ >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist >> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ >> ------------------------------------------------------ >> Visit TechGenix.com for more information about our other sites: >> http://www.techgenix.com >> ------------------------------------------------------ >> You are currently subscribed to this ISAserver.org Discussion >> List as: tshinder@xxxxxxxxxxxxxxxxxx >> To unsubscribe visit >> http://www.webelists.com/cgi/lyris.pl?enter=isalist >> Report abuse to listadmin@xxxxxxxxxxxxx >> >> > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > thor@xxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > thor@xxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: greg@xxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx