RE: Minimum Protocol Rules by Service Type List

• From: "Greg Mulholland" <greg@xxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 1 Dec 2005 07:19:10 +1100

Ahahahahahaha your so funny mr. hammerofgod :)

Just because I was asleep doesn't mean you can poke fun... *runs crying
to the sbs list*

Greg Mulholland

-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] 
Sent: Thursday, December 01, 2005 4:00 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Minimum Protocol Rules by Service Type List

http://www.ISAserver.org

Of course, regarding the standard publishing, I would indeed export it
in 
human readable form...  Getting it in Greg readable form is going to
tough, 
though ;)

t

-----
"And yet, even if one person finds his way... that means
there is a Way.  Even if I personally fail to reach it."

Mr. Nobusuke Tagomi
Top Place, Ranking Imperial Trade Mission
Pacific States of America
----- Original Message ----- 
From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, November 30, 2005 8:42 AM
Subject: [isalist] RE: Minimum Protocol Rules by Service Type List


> http://www.ISAserver.org
>
> I still need to figure out how to properly archive this data-- I don't

> think the standard Word doc is going to cut it-- it may, though.   I'm

> thinking something more like a database where you can pull up a 
> product/service and see all the different types of configurations 
> supported, each with its own protocol listing.  For instance,
regarding 
> SQL, I haven't even gotten to the MultiProtocol or Named Pipes 
> libraries...
>
> I'll handle all the standard Microsoft stuff... If anyone wants to
tackle 
> other stuff (Like Cisco VPN, etc) that's cool.
>
> t
>
>
> -----
> "And yet, even if one person finds his way... that means
> there is a Way.  Even if I personally fail to reach it."
>
> Mr. Nobusuke Tagomi
> Top Place, Ranking Imperial Trade Mission
> Pacific States of America
> ----- Original Message ----- 
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, November 30, 2005 7:12 AM
> Subject: [isalist] RE: Minimum Protocol Rules by Service Type List
>
>
> http://www.ISAserver.org
>
> I figured you were about 35. So that makes you about 50 years younger
> than me.
>
> Its would be fantastic to get this kind of contribution on the
> ISAserver.org and we would be forever in your debt for it. I might
have
> to send you a case of Sambuca or something like that, or maybe I'll
send
> that to Jim and send you the Cisco and Night Train.
>
> If you're gonna do this in word docs, just use the Normal template
using
> the Normal View and paste the screen shots into the word doc directly.
> I've got a method to batch convert all the imbedded graphics so no
> problem there.
>
> Let me know if there's any non-SQL POC stuff you want me to test out
:)
>
> Thanks!
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
>> -----Original Message-----
>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
>> Sent: Tuesday, November 29, 2005 11:40 PM
>> To: [ISAserver.org Discussion List]
>> Subject: [isalist] RE: Minimum Protocol Rules by Service Type List
>>
>> http://www.ISAserver.org
>>
>> Heh... I'm younger anyway-- and not by much ;)
>>
>> Cool then... I'll make sure to not only document in a verbose
>> manner, but to
>> test each service in isolation (meaning, I won't test Exchange RPC
>> requirements while having the SQL Authentication rules in place.)
>>
>> Yours, of course, would be the venue to publish-- you have
>> established your
>> site as the standard for ISA information-- no reason to work
>> outside of
>> that.  Even if there was a reason, I still wouldn't do it ;)
>>
>> [pulling in Greg's post]
>>
>> Thanks dude-- this could get complex quickly, so I may need
>> some help.  I
>> think a db-based "solutions bank" would make sense-- a main
>> heading of the
>> service, with sub-categories of access type (NTLM, Kerberos,
>> Basic, etc) and
>> stuff like that.  This will be fun.
>>
>> So, I'm on it... Most of this will come from the actual
>> deployment, which
>> will be in the next couple of weeks after we rebuild our DMZ
>> this coming
>> weekend.
>>
>> Thanks guys. (And any nurturing females on the list)
>>
>> t
>>
>> -----
>> "And yet, even if one person finds his way... that means
>> there is a Way.  Even if I personally fail to reach it."
>> Mr. Nobusuke Tagomi - Top Place, Ranking Imperial Trade
>> Mission - Pacific
>> States of America
>>
>>
>>
>>
>> ----- Original Message ----- 
>> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
>> Sent: Tuesday, November 29, 2005 9:13 PM
>> Subject: [isalist] RE: Minimum Protocol Rules by Service Type List
>>
>>
>> http://www.ISAserver.org
>>
>> Hey Tim,
>>
>> This would be REALLY COOL. As far as I know, there's nothing like
this
>> out there. I have lot of articles covering specific
>> scenarios, but none
>> of them include SQL or backup agents, because A. I don't know squat
>> about SQL and B. the herterogenrous backup agent evironment makes me
>> avoidant because I know it'll generate requests for all the other
>> vendors.
>>
>> However, you're younger, smarter and stronger than me, so you might
be
>> able to handle it -- or since your kids are still young, you're
better
>> able to resist requests for MORE.
>>
>> I've often thought of doing the same thing with my network, which is
>> production full tilt for us. Four multihomed ISA firewall's serving
>> three Internet links, three domains, Exchange 2003 (no cluster),
>> SharePoint Portal Server, IIS sites, MOM, spam whackers, LCS, VoIP,
>> Windows Media Services, blah blah blah. Lots of whacky POC stuff that
>> I've never written about, but worked pretty neat, so I decided to
keep
>> it. Maybe I'll like yours so much I'll show mine too :)
>>
>> So, count me in as thinking this is a great idea. You'll
>> introduce a ton
>> of good stuff that's not out there yet! Let me know if want any help,
>> comment, or whatever for this project. If its too long for the venues
>> you usually publish in, you're welcome to put it up at
>> ISAserver.org and
>> use as many words, graphics and whatever you want. Maybe after that,
I
>> can suck you into becoming a regular author for the site
>> :-)))  We need
>> a mensa kinda guy for the site, since we lost ours to
>> Microsoft LCA. :(
>>
>> Tom
>>
>> Thomas W Shinder, M.D.
>> Site: www.isaserver.org
>> Blog: http://spaces.msn.com/members/drisa/
>> Book: http://tinyurl.com/3xqb7
>> MVP -- ISA Firewalls
>> **Who is John Galt?**
>>
>>
>>
>> > -----Original Message-----
>> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
>> > Sent: Tuesday, November 29, 2005 10:58 PM
>> > To: [ISAserver.org Discussion List]
>> > Subject: [isalist] Minimum Protocol Rules by Service Type List
>> >
>> > http://www.ISAserver.org
>> >
>> > Yo.
>> >
>> > In staying true to the concepts of least privilege and
>> > security in depth, I
>> > have been testing the minimum allowed protocols required to
>> > support various
>> > client-server services.  The data I am collecting comes from
>> > bottom-up,
>> > step-by-step live protocol analysis-- this for two reasons:
>> > I've not seen a
>> > comprehensive list of "this is what you have to allow for X,"
>> > and of the
>> > documentation I have seen, most of it includes catch-all protocol
>> > recommendations rather than the minimum rules necessary.
>> >
>> > The reason I bring this up is to get a consensus from the
>> > group on whether
>> > or not I should document my findings in such a way as to publish
the
>> > results-- If something like this already exists, I don't want
>> > to re-invent
>> > the wheel.  If not, I should heavily document my findings
>> in order to
>> > provide a comprehensive list.
>> >
>> > For instance- SQL authentication using "mixed mode
>> > authentication" simply
>> > requires a single "SQL Sever TCP 1433 Outbound" from the
>> > client set to the
>> > individual server.  Integrated authentication via a standard
>> > library client
>> > (such as Query Analyzer) not only requires "SQL Server TCP
>> > 1433 Outbound" to
>> > the SQL host, but it also requires at least "Kerberos-Sec
>> > (UDP)" (UDP 88
>> > Send Receive) and "LDAP (UDP)" (UDP 389 Send Receive) from
>> > the client to the
>> > domain controller set.  More "robust" clients, such as MS
>> > Access using a SQL
>> > Library require a full LDAP (TCP 389) connection from the
>> > client to the
>> > domain controller set.  While "LDAP (UDP)" may be forced,
>> > projects digitally
>> > signed with a certificate require the TCP connection based on
>> > my testing.
>> > This is the type of data I'm considering collecting for
publication.
>> >
>> > The primary reason I am doing this is because my network
>> > admin (John Wilson)
>> > and I have decided to rebuild our entire infrastructure in a
>> > *true* least
>> > privilege environment.  We will completely separate our
>> entire server
>> > infrastructure from all clients with an *internal* ISA 2004
>> > configured to
>> > only allow the minimum protocols through on a host-by-host,
>> > service-by-service, user-group by user-group basis.  This
>> > will not be a
>> > test-- this will be in a total Microsoft production
>> > environment: clustered
>> > SQL servers, clustered Exchange servers, multiple domain
>> > controllers ( group
>> > policy deployments, certificate services, etc) NAS devices,
>> > shared printers,
>> > web services, backup agents, custom application
>> > developments... the Full
>> > Monty.  I've never seen this done in a production environment
>> > (though I've
>> > heard many people postulate about it) so I'm kind of excited
>> > about all of
>> > this.
>> >
>> > So, the main question is: Does a resource like this already
>> > exist somewhere?
>> > I figga that if anyone would know, it would be the folks on
>> this list.
>> >
>> > t
>> >
>> >
>> > ------------------------------------------------------
>> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> > ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
>> > ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> > ------------------------------------------------------
>> > Visit TechGenix.com for more information about our other sites:
>> > http://www.techgenix.com
>> > ------------------------------------------------------
>> > You are currently subscribed to this ISAserver.org Discussion
>> > List as: tshinder@xxxxxxxxxxxxxxxxxx
>> > To unsubscribe visit
>> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> > Report abuse to listadmin@xxxxxxxxxxxxx
>> >
>> >
>>
>> ------------------------------------------------------
>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> ------------------------------------------------------
>> Visit TechGenix.com for more information about our other sites:
>> http://www.techgenix.com
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion
>> List as:
>> thor@xxxxxxxxxxxxxxx
>> To unsubscribe visit
>> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>>
>>
>> ------------------------------------------------------
>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> ------------------------------------------------------
>> Visit TechGenix.com for more information about our other sites:
>> http://www.techgenix.com
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion
>> List as: tshinder@xxxxxxxxxxxxxxxxxx
>> To unsubscribe visit
>> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:

> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:

> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> 


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
greg@xxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List

1. Home
2. isalist
3. Archive
4. 12-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---