RE: Updates from the Least Privilege Front

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 5 Dec 2005 21:52:20 -0600

Whoa. Interesting stuff.

So, the dreaded CIFS and RPC are only required for Exchange Management
console? That would indeed be sweet. 

And FE POP3 and IMAP4 works too? ;)

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] 
> Sent: Monday, December 05, 2005 9:37 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Updates from the Least Privilege Front
> 
> http://www.ISAserver.org
> 
> Just in case I forget (since we have been discussing FE 
> Exchange Servers in 
> a DMZ Segment) here is the skinny on the least privilege 
> rules required to 
> support the functionality outlined in Shinder's List.
> 
> A Front End Exchange Server must verify a remote user's logon 
> request, 
> authenticate the local OWA access request in AD (based on 
> NTFS perms), look 
> up the Exchange Server hosting the user's mailbox in AD 
> (global catalog), 
> forward the user's credentials to the Back End Exchange 
> Server required to 
> log on to the BE on behalf of the user, and to finally proxy 
> the web-based 
> data to the end user.  You also must be able to log into the 
> FE server to 
> administer the box, obviously.
> 
> The protocol list required for all of this functionality is 
> as follows:
> From the OWA FE server in the DMZ Segment to the Domain Controllers--
> DNS
> Kerberos-Sec (UDP)
> LDAP
> LDAP (UDP)
> LDAP (Global Catalog)
> Ping (Not required, but helpful)
> Microsoft CIFS (TCP)
> RPC (All Interfaces)
> 
> From the OWA FE server to all BE servers, you must allow:
> HTTP
> 
> Note that all manner of NBT traffic requests were attempted, 
> but these are 
> apparently not required when the other protocols are allowed.
> 
> Now, one may be tempted to have a single rule for DC authentication 
> containing these rules, and a single HTTP rule from the FE to 
> all BE servers 
> on the Internal Network, but that is not how I recommend 
> doing it in a 
> "least privilege" environment.
> 
> I have a problem with allowing CIFS and RPC from a DMZ asset 
> to my internal 
> Domain Controllers.  I also like peanut butter rolled up in a 
> slice of 
> Bologna-- I call it a "trailer park crepe."  But I digress.
> 
> In my tests, CIFS and RPC were only necessary for console 
> logon to the FE 
> asset.  If you were logged out of the FE server yet remotely 
> accessed the FE 
> facilities via OWA, CIFS and RPC were *not* required.  If the 
> FE thinks it 
> has CIFS and RPC, it will use it for FE functions (in my 
> tests).  But if you 
> do not allow it, LDAP, Kerberos-Sec to the DC's and HTTP to 
> the BE's will 
> ultimately be used.  The first time a user does this, it 
> takes a bit for the 
> auth to complete, but after that, it's superfly.
> 
> Given that, I have decided to separate auth into 2 rule sets:
> One from the FE server to the DC's with all the above minus 
> CIFS and RPC, 
> and one from the FE server to the DC's with CIFS and RPC.  
> The trick is to 
> disable the second auth rule until you need to log on the to 
> console of the 
> FE server.  This way, you allow full OWA functionality 
> without having to 
> have evil CIFS and RPC open from that DMZ segment into your Internal 
> network.
> 
> More later.
> 
> t
> 
> 
> 
> 
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

Other related posts:

• » Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front
• » RE: Updates from the Least Privilege Front

1. Home
2. isalist
3. Archive
4. 12-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---