But of course... That's like telling your 2-yr-old not to touch the stove - they just gotta do it... :-) -----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Tuesday, November 29, 2005 10:32 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Minimum Protocol Rules by Service Type List http://www.ISAserver.org You know I'm going to check it anyway, right? :) ----- Original Message ----- From: "Jim Harrison" <Jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, November 29, 2005 10:11 PM Subject: [isalist] RE: Minimum Protocol Rules by Service Type List > http://www.ISAserver.org > > BTW, don't bother trying to check FWC authentication for SMB traffic. > The MS Client service doesn't use Winsock, so the FWC never sees the > traffic. > > We discovered this from a customer query... > > -----Original Message----- > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > Sent: Tuesday, November 29, 2005 9:40 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Minimum Protocol Rules by Service Type List > > http://www.ISAserver.org > > Heh... I'm younger anyway-- and not by much ;) > > Cool then... I'll make sure to not only document in a verbose manner, > but to > test each service in isolation (meaning, I won't test Exchange RPC > requirements while having the SQL Authentication rules in place.) > > Yours, of course, would be the venue to publish-- you have established > your > site as the standard for ISA information-- no reason to work outside of > that. Even if there was a reason, I still wouldn't do it ;) > > [pulling in Greg's post] > > Thanks dude-- this could get complex quickly, so I may need some help. > I > think a db-based "solutions bank" would make sense-- a main heading of > the > service, with sub-categories of access type (NTLM, Kerberos, Basic, etc) > and > stuff like that. This will be fun. > > So, I'm on it... Most of this will come from the actual deployment, > which > will be in the next couple of weeks after we rebuild our DMZ this coming > > weekend. > > Thanks guys. (And any nurturing females on the list) > > t > > ----- > "And yet, even if one person finds his way... that means > there is a Way. Even if I personally fail to reach it." > Mr. Nobusuke Tagomi - Top Place, Ranking Imperial Trade Mission - > Pacific > States of America > > > > > ----- Original Message ----- > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Tuesday, November 29, 2005 9:13 PM > Subject: [isalist] RE: Minimum Protocol Rules by Service Type List > > > http://www.ISAserver.org > > Hey Tim, > > This would be REALLY COOL. As far as I know, there's nothing like this > out there. I have lot of articles covering specific scenarios, but none > of them include SQL or backup agents, because A. I don't know squat > about SQL and B. the herterogenrous backup agent evironment makes me > avoidant because I know it'll generate requests for all the other > vendors. > > However, you're younger, smarter and stronger than me, so you might be > able to handle it -- or since your kids are still young, you're better > able to resist requests for MORE. > > I've often thought of doing the same thing with my network, which is > production full tilt for us. Four multihomed ISA firewall's serving > three Internet links, three domains, Exchange 2003 (no cluster), > SharePoint Portal Server, IIS sites, MOM, spam whackers, LCS, VoIP, > Windows Media Services, blah blah blah. Lots of whacky POC stuff that > I've never written about, but worked pretty neat, so I decided to keep > it. Maybe I'll like yours so much I'll show mine too :) > > So, count me in as thinking this is a great idea. You'll introduce a ton > of good stuff that's not out there yet! Let me know if want any help, > comment, or whatever for this project. If its too long for the venues > you usually publish in, you're welcome to put it up at ISAserver.org and > use as many words, graphics and whatever you want. Maybe after that, I > can suck you into becoming a regular author for the site :-))) We need > a mensa kinda guy for the site, since we lost ours to Microsoft LCA. :( > > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > >> -----Original Message----- >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] >> Sent: Tuesday, November 29, 2005 10:58 PM >> To: [ISAserver.org Discussion List] >> Subject: [isalist] Minimum Protocol Rules by Service Type List >> >> http://www.ISAserver.org >> >> Yo. >> >> In staying true to the concepts of least privilege and >> security in depth, I >> have been testing the minimum allowed protocols required to >> support various >> client-server services. The data I am collecting comes from >> bottom-up, >> step-by-step live protocol analysis-- this for two reasons: >> I've not seen a >> comprehensive list of "this is what you have to allow for X," >> and of the >> documentation I have seen, most of it includes catch-all protocol >> recommendations rather than the minimum rules necessary. >> >> The reason I bring this up is to get a consensus from the >> group on whether >> or not I should document my findings in such a way as to publish the >> results-- If something like this already exists, I don't want >> to re-invent >> the wheel. If not, I should heavily document my findings in order to >> provide a comprehensive list. >> >> For instance- SQL authentication using "mixed mode >> authentication" simply >> requires a single "SQL Sever TCP 1433 Outbound" from the >> client set to the >> individual server. Integrated authentication via a standard >> library client >> (such as Query Analyzer) not only requires "SQL Server TCP >> 1433 Outbound" to >> the SQL host, but it also requires at least "Kerberos-Sec >> (UDP)" (UDP 88 >> Send Receive) and "LDAP (UDP)" (UDP 389 Send Receive) from >> the client to the >> domain controller set. More "robust" clients, such as MS >> Access using a SQL >> Library require a full LDAP (TCP 389) connection from the >> client to the >> domain controller set. While "LDAP (UDP)" may be forced, >> projects digitally >> signed with a certificate require the TCP connection based on >> my testing. >> This is the type of data I'm considering collecting for publication. >> >> The primary reason I am doing this is because my network >> admin (John Wilson) >> and I have decided to rebuild our entire infrastructure in a >> *true* least >> privilege environment. We will completely separate our entire server >> infrastructure from all clients with an *internal* ISA 2004 >> configured to >> only allow the minimum protocols through on a host-by-host, >> service-by-service, user-group by user-group basis. This >> will not be a >> test-- this will be in a total Microsoft production >> environment: clustered >> SQL servers, clustered Exchange servers, multiple domain >> controllers ( group >> policy deployments, certificate services, etc) NAS devices, >> shared printers, >> web services, backup agents, custom application >> developments... the Full >> Monty. I've never seen this done in a production environment >> (though I've >> heard many people postulate about it) so I'm kind of excited >> about all of >> this. >> >> So, the main question is: Does a resource like this already >> exist somewhere? >> I figga that if anyone would know, it would be the folks on this list. >> >> t >> >> >> ------------------------------------------------------ >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist >> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ >> ------------------------------------------------------ >> Visit TechGenix.com for more information about our other sites: >> http://www.techgenix.com >> ------------------------------------------------------ >> You are currently subscribed to this ISAserver.org Discussion >> List as: tshinder@xxxxxxxxxxxxxxxxxx >> To unsubscribe visit >> http://www.webelists.com/cgi/lyris.pl?enter=isalist >> Report abuse to listadmin@xxxxxxxxxxxxx >> >> > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > thor@xxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > thor@xxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.