[isalist] Re: New Articles on Tales

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Sun, 16 Aug 2009 10:40:29 -0500

http://www.ISAserver.org
-------------------------------------------------------

Ah, but just because idgets work in the enterprise and enforce their 
ill-informed opinion doensn't make it "right" or "better". From what I've seen, 
they have a checkbox in which to place a checkmark, and that's about it. If you 
try to enter a discussion about how domain members at the edge aren't the 
security issue their collective incubi scared them about, you get a blank face. 
There are lots of things I see in the "real world" that don't qualify was 
thoughtful, best practices or otherwise outright thoughtless.

Sure, if there's no reason to make something a domain member don't. But if you 
improve your *overall* security posture by doing so, then do it. It's just a 
matter of looking at all the pieces, not just the checkbox.

In spite of all this, you're still kind of a big deal ;)

____________________________________________
TOM SHINDER   |   Sr. Consultant/Technical Writer 
206.443.1117   |   SHINDER@xxxxxxxxxxxxxxx

5701 Sixth Avenue South   |   Seattle, WA 98108  
PROWESS   |   WWW.PROWESSCORP.COM
____________________________________________


> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
> Behalf Of
> Thor (Hammer of God)
> Sent: Sunday, August 16, 2009 10:14 AM
> To: ISA Mailing List
> Subject: [isalist] Re: New Articles on Tales
> 
> http://www.ISAserver.org
> -------------------------------------------------------
> 
> It is *hardly* a tinfoil hat crowd.  It's called "security in depth" and 
> "least privilege."
> The local ADAM instance provides the necessary functionality to the edge role 
> server,
> thus reducing some of the REAL threats and the perceived benefit of making it 
> a
> domain member. Exchange Edge doesn't "support" WG membership, it is 
> specifically
> designed to provide that functionality based on "real word" issues that are 
> present in
> true enterprise topologies.
> 
> Do whatever you want to do to suit your needs, but don't call people who have 
> to
> consider the security ramifications of infrastructure designs beyond "mom and 
> pop"
> as "tinfoil hat crowd."  It's insulting.
> 
> t
> 
> 
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
> Behalf Of
> Jim Harrison
> Sent: Sunday, August 16, 2009 7:32 AM
> To: ISA Mailing List
> Subject: [isalist] Re: New Articles on Tales
> 
> http://www.ISAserver.org
> -------------------------------------------------------
> 
> There is no "always" or "never" to either of them. It's situational and 
> requires that the
> deployment team perform their own threat modeling.
> Exchange supports placing the edge role on a WG server to appease the "no 
> domain
> members at the edge" tinfoil hat crowd, but when you combine it with TMG, the 
> attack
> surface and thus the perceived threat of having the Exch edge role as a domain
> member is greatly reduced; even over that offered by Windows Firewall 
> policies.
> 
> Jim
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
> Behalf Of
> Han Valk
> Sent: Saturday, August 15, 2009 11:54 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: New Articles on Tales
> 
> http://www.ISAserver.org
> -------------------------------------------------------
> 
> As far as I know Exchange Edge is to be installed on a workgroup server while 
> TMG
> does its best job when domain joined. So this is a bit of a contradiction to 
> me. I would
> love to see guidance from Microsoft on that. Maybe this can be added to the 
> Q&A in
> Understanding Email Protection on TMG.
> 
> Han.
> 
> 
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Jim Harrison
> > Sent: Sunday, August 16, 2009 00:35
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] New Articles on Tales
> >
> > http://blogs.technet.com/isablog/archive/2009/08/15/new-tales-from-the-
> > edge-articles.aspx
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials: 
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials: 
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials: 
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts: