Disturbing! Greg Mulholland -----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Wednesday, November 30, 2005 5:28 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Minimum Protocol Rules by Service Type List http://www.ISAserver.org That's odd... I push-installed *your* MOM agent without any problems. <bfg> But on a serious note, it is surprising to see how much NetBIOS/CIFS traffic is requested, even in the presence of a current Kerberos ticket - that and RPC traffic to the DC's (like when you are in Outlook 2003, requesting a concurrent SQL connection under different creds, etc.) It's quite interesting to correlate local NetMon dumps to the ISA logs-- I've been staring at them for the last several hours, and have discerned what I think is an "affinity" of ISA to not display logged traffic. For instance, if I make an integrated authentication connection to a SQL server after all connections have been closed, ISA logs the Kerberos traffic on reconnect (as does local NetMon.) However, if I disconnect and reconnect within a few seconds, I can see that the client's ticket is checked in NetMon, though ISA does not show the connection request to the DC as accepted and/or established. Kind of odd, but I have not fully explored why yet. I'll keep on it, though I know I'll have more NetMon/ISA sex dreams tonight. Don't ask. t ----- Original Message ----- From: "Jim Harrison" <Jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, November 29, 2005 10:10 PM Subject: [isalist] RE: Minimum Protocol Rules by Service Type List > http://www.ISAserver.org > > Mos' definitely! > > For instance, I had an opportunity to answer the question of "why does > SCM work remotely against ISA when WMI calls don't?" > > The answer (via judicious use of NetMon) is that SCM uses NetBIOS calls, > and WMI uses DCOM. > NetBIOS can be handled easily by ISA policies, but DCOM can't. > Come to think of it, this is probably the main reason Raji can't > push-install the MOM agent. > > -----Original Message----- > From: Greg Mulholland [mailto:greg@xxxxxxxxxxxxxx] > Sent: Tuesday, November 29, 2005 9:26 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Minimum Protocol Rules by Service Type List > > http://www.ISAserver.org > > Thor > > Let me jump on Tom's shoulders here and say, "what he said" Ive often > thought of doing it in a larger, more funner environment, but never had > the real time or authority to be able to do it. Its definately a cool > process and we do do it to some degree in smaller environments where we > are able to. Let me know if you need help for anything as Toms said, i'd > be willing to jump on board if you hit a snag and havent got the skillz > to finish something :p... or just want a scenario tested... > > Greg Mulholland > > ________________________________ > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Wed 30/11/2005 4:13 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Minimum Protocol Rules by Service Type List > > > > http://www.ISAserver.org > > Hey Tim, > > This would be REALLY COOL. As far as I know, there's nothing like this > out there. I have lot of articles covering specific scenarios, but none > of them include SQL or backup agents, because A. I don't know squat > about SQL and B. the herterogenrous backup agent evironment makes me > avoidant because I know it'll generate requests for all the other > vendors. > > However, you're younger, smarter and stronger than me, so you might be > able to handle it -- or since your kids are still young, you're better > able to resist requests for MORE. > > I've often thought of doing the same thing with my network, which is > production full tilt for us. Four multihomed ISA firewall's serving > three Internet links, three domains, Exchange 2003 (no cluster), > SharePoint Portal Server, IIS sites, MOM, spam whackers, LCS, VoIP, > Windows Media Services, blah blah blah. Lots of whacky POC stuff that > I've never written about, but worked pretty neat, so I decided to keep > it. Maybe I'll like yours so much I'll show mine too :) > > So, count me in as thinking this is a great idea. You'll introduce a ton > of good stuff that's not out there yet! Let me know if want any help, > comment, or whatever for this project. If its too long for the venues > you usually publish in, you're welcome to put it up at ISAserver.org and > use as many words, graphics and whatever you want. Maybe after that, I > can suck you into becoming a regular author for the site :-))) We need > a mensa kinda guy for the site, since we lost ours to Microsoft LCA. :( > > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > >> -----Original Message----- >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] >> Sent: Tuesday, November 29, 2005 10:58 PM >> To: [ISAserver.org Discussion List] >> Subject: [isalist] Minimum Protocol Rules by Service Type List >> >> http://www.ISAserver.org >> >> Yo. >> >> In staying true to the concepts of least privilege and >> security in depth, I >> have been testing the minimum allowed protocols required to >> support various >> client-server services. The data I am collecting comes from >> bottom-up, >> step-by-step live protocol analysis-- this for two reasons: >> I've not seen a >> comprehensive list of "this is what you have to allow for X," >> and of the >> documentation I have seen, most of it includes catch-all protocol >> recommendations rather than the minimum rules necessary. >> >> The reason I bring this up is to get a consensus from the >> group on whether >> or not I should document my findings in such a way as to publish the >> results-- If something like this already exists, I don't want >> to re-invent >> the wheel. If not, I should heavily document my findings in order to >> provide a comprehensive list. >> >> For instance- SQL authentication using "mixed mode >> authentication" simply >> requires a single "SQL Sever TCP 1433 Outbound" from the >> client set to the >> individual server. Integrated authentication via a standard >> library client >> (such as Query Analyzer) not only requires "SQL Server TCP >> 1433 Outbound" to >> the SQL host, but it also requires at least "Kerberos-Sec >> (UDP)" (UDP 88 >> Send Receive) and "LDAP (UDP)" (UDP 389 Send Receive) from >> the client to the >> domain controller set. More "robust" clients, such as MS >> Access using a SQL >> Library require a full LDAP (TCP 389) connection from the >> client to the >> domain controller set. While "LDAP (UDP)" may be forced, >> projects digitally >> signed with a certificate require the TCP connection based on >> my testing. >> This is the type of data I'm considering collecting for publication. >> >> The primary reason I am doing this is because my network >> admin (John Wilson) >> and I have decided to rebuild our entire infrastructure in a >> *true* least >> privilege environment. We will completely separate our entire server >> infrastructure from all clients with an *internal* ISA 2004 >> configured to >> only allow the minimum protocols through on a host-by-host, >> service-by-service, user-group by user-group basis. This >> will not be a >> test-- this will be in a total Microsoft production >> environment: clustered >> SQL servers, clustered Exchange servers, multiple domain >> controllers ( group >> policy deployments, certificate services, etc) NAS devices, >> shared printers, >> web services, backup agents, custom application >> developments... the Full >> Monty. I've never seen this done in a production environment >> (though I've >> heard many people postulate about it) so I'm kind of excited >> about all of >> this. >> >> So, the main question is: Does a resource like this already >> exist somewhere? >> I figga that if anyone would know, it would be the folks on this list. >> >> t >> >> >> ------------------------------------------------------ >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist >> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ >> ------------------------------------------------------ >> Visit TechGenix.com for more information about our other sites: >> http://www.techgenix.com >> ------------------------------------------------------ >> You are currently subscribed to this ISAserver.org Discussion >> List as: tshinder@xxxxxxxxxxxxxxxxxx >> To unsubscribe visit >> http://www.webelists.com/cgi/lyris.pl?enter=isalist >> Report abuse to listadmin@xxxxxxxxxxxxx >> >> > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > greg@xxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > thor@xxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: greg@xxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx