[isalist] Re: New Articles on Tales

  • From: Jerry Young <jerrygyoungii@xxxxxxxxx>
  • To: isalist@xxxxxxxxxxxxx
  • Date: Mon, 17 Aug 2009 10:12:17 -0400

Damn, guys... think maybe you should have gotten a room? :)

And here I thought all of yas were BFFs. :D

Thor, I never took offense at what Jim was driving at (maybe I'm thick
skinned??).  I certainly didn't take it as "people who think installing Edge
(or anything) as a WG instead of a DM are a 'tinfoil hat crowd'".  I
interpreted it (perhaps added to it??) as "people who think you must always,
absolutely, are completely ignorant and stupid for not installing as a WG
instead of a DM are a 'tinfoil hat crowd'".

The simple fact of the matter is that very few small/medium businesses are
mature when it comes to security.  I don't have any supporting numbers but
my guess would be that most run in an Internet, Edge, Lan topology, if that.

My current client is a financial company that manages around $11 billion in
capital resources.  If I went to the CIO and said that they must build out a
fully fledged, edge completely separated, traffic tightly controlled edge
network topology and took serious issue with them for not doing so, I
wouldn't keep them as a client for long.  The best I can possibly do is
simply warn them of their risks (which I have) and work with them as they
mature to make it more secure.

I got clobbered for being hardnosed about making an App Pool identity for a
web application accessible from the Internet an Administrator of the local
server, which was a domain member!  And I mean clobbered!  The client's need
for usability outweighed their perceived need for security in that instance
and I was told to, not so kindly, go pound sand.

While your reasoning for how making a box a DM reduces security provides
some solid examples, "security-adverse" users might respond as follows:

-Required authentication and management traffic into/out of the internal
network.
How is this a risk?  How is it quantifiable?  Can a successful attack be
demonstrated?  Would an attacker find the effort worth the end results?  How
else might this be mitigated, aside from simply making the machine a WG
member?

-Cached domain credentials on the server itself -- even if not cached, the
machine's account allows for leverage of  exploitation on internal assets
even if a vulnerability requires authentication.  Measures can be taken to
reduce these risks, but they MUST be taken if a DM, not so if a WG.
What would it take to exploit this and can a successful attack be
demonstrated?  How are local cached credentials any more secure than domain
cached credentials?   If hacked, the box still provides a platform for
futher attacks, even if a potential key to the domain isn't there.  What
would be the complete set of steps to use to mitigate this risk, aside from
making the machine a WG member?

-Domain credentials/tokens will very likely be in memory and can be
leveraged by an attacker, particularly if someone is logged on to the
console of the box, or if services are running under domain credentials.
Again, how is this quantifiable?  Can a successful attack be demonstrated?

-any user anywhere in the forest, or trusted entities, will be an
"authenticated user."
Can't this default behavior be changed with regards to what an authenticated
user has access to?  Wouldn't it make more sense to understand the rights
users need based on roles and assign accessibilty accordingly rather than
dumping the box in its own WG?

Regardless of the side I take on the usability versus security argument,
however, I am always told to prove by demonstration my stance.  That's the
frustrating part!  And that's why people like me look to Microsoft (or any
vendor) who provides software for specific guidance.

So, while I found the exchange here entertaining, it really didn't help me
out too much; I saw reflected my own struggles with exploring and explaining
the usability/security relationship.  I do like the idea of fleshing out
some of the scenarios you and Jim traded, however, as samples of when to use
which approach; what I think might be helpful to the community at large is
to put together a list of risks and methods of mitigation.  Then you simply
let the clients choose which best fits their needs and budget.

Just my $.02, which isn't worth much, I know. ;)
On Mon, Aug 17, 2009 at 8:40 AM, Amy Babinchak <
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

> http://www.ISAserver.org <http://www.isaserver.org/>
> -------------------------------------------------------
>
> Doesn't matter really. The point is that Microsoft has a released firewall
> product called TMG with the EE installed on the domain member server. It's
> the same enough.
>
> thanks,
>
> Amy Babinchak
>
> Harbor Computer Services | 248-850-8616 | Mobile 248-890-1794
>
> Phone Number: 248-850-8616
>
> Web   http://www.harborcomputerservices.net
> Client Blog   http://smalltechnotes.blogspot.com
> Tech Blog   http://securesmb.harborcomputerservices.net
>
> Buy My House: http:// 
> www.HomesByOwner.com/15490<http://www.homesbyowner.com/15490>
>
> Are you an IT Pro?  http://www.thirdtier.net
>
>
> -----Original Message-----
>  From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Steve Moffat
> Sent: Monday, August 17, 2009 8:38 AM
> To: ISA Mailing List
> Subject: [isalist] Re: New Articles on Tales
>
> http://www.ISAserver.org <http://www.isaserver.org/>
> -------------------------------------------------------
>
> Not the same TMG....
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Amy Babinchak
> Sent: Monday, August 17, 2009 9:35 AM
> To: ISA Mailing List
> Subject: [isalist] Re: New Articles on Tales
>
> http://www.ISAserver.org <http://www.isaserver.org/>
> -------------------------------------------------------
>
> Microsoft has a released product where the TMG (with EBS) also running the
> Exchange 2007 Edge role is a domain member.
>
> thanks,
>
> Amy Babinchak
>
> Harbor Computer Services | 248-850-8616 | Mobile 248-890-1794
>
> Phone Number: 248-850-8616
>
> Web   http://www.harborcomputerservices.net
> Client Blog   http://smalltechnotes.blogspot.com
> Tech Blog   http://securesmb.harborcomputerservices.net
>
> Buy My House: http:// 
> www.HomesByOwner.com/15490<http://www.homesbyowner.com/15490>
>
> Are you an IT Pro?  http://www.thirdtier.net
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Han Valk
> Sent: Monday, August 17, 2009 1:37 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: New Articles on Tales
>
> http://www.ISAserver.org <http://www.isaserver.org/>
> -------------------------------------------------------
>
> Ok I understand, that still leaves the point that some 'official' guidance
> from Microsoft would be nice.
>
> Han.
>
> ________________________________
> From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Jim Harrison [Jim@xxxxxxxxxxxx]
> Sent: Sunday, August 16, 2009 4:32 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: New Articles on Tales
>
> http://www.ISAserver.org <http://www.isaserver.org/><
> http://www.isaserver.org/>
> -------------------------------------------------------
>
> There is no "always" or "never" to either of them. It's situational and
> requires that the deployment team perform their own threat modeling.
> Exchange supports placing the edge role on a WG server to appease the "no
> domain members at the edge" tinfoil hat crowd, but when you combine it with
> TMG, the attack surface and thus the perceived threat of having the Exch
> edge role as a domain member is greatly reduced; even over that offered by
> Windows Firewall policies.
>
> Jim
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Han Valk
> Sent: Saturday, August 15, 2009 11:54 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: New Articles on Tales
>
> http://www.ISAserver.org <http://www.isaserver.org/><
> http://www.isaserver.org/>
> -------------------------------------------------------
>
> As far as I know Exchange Edge is to be installed on a workgroup server
> while TMG does its best job when domain joined. So this is a bit of a
> contradiction to me. I would love to see guidance from Microsoft on that.
> Maybe this can be added to the Q&A in Understanding Email Protection on TMG.
>
> Han.
>
>
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Jim Harrison
> > Sent: Sunday, August 16, 2009 00:35
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] New Articles on Tales
> >
> > http://blogs.technet.com/isablog/archive/2009/08/15/new-tales-from-the
> > -
> > edge-articles.aspx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com<http://www.techgenix.com/>
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com<http://www.techgenix.com/>
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> --
> ExchangeDefender Message Security: Click below to verify authenticity
> http://www.exchangedefender.com/verify.asp?id=n7HCZOeB031684&from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> --
> ExchangeDefender Message Security: Click below to verify authenticity
>
> http://www.exchangedefender.com/verify.asp?id=n7HChniQ000721&from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>


-- 
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 08-2009