RE: Updates from the Least Privilege Front
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 5 Dec 2005 21:54:32 -0600
Not to be the one to put a ice cube in your boxers, but remember your
RPC/HTTP proxy goes on the FE. :)
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Monday, December 05, 2005 9:52 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Updates from the Least Privilege Front
>
> http://www.ISAserver.org
>
> Whoa. Interesting stuff.
>
> So, the dreaded CIFS and RPC are only required for Exchange Management
> console? That would indeed be sweet.
>
> And FE POP3 and IMAP4 works too? ;)
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > Sent: Monday, December 05, 2005 9:37 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Updates from the Least Privilege Front
> >
> > http://www.ISAserver.org
> >
> > Just in case I forget (since we have been discussing FE
> > Exchange Servers in
> > a DMZ Segment) here is the skinny on the least privilege
> > rules required to
> > support the functionality outlined in Shinder's List.
> >
> > A Front End Exchange Server must verify a remote user's logon
> > request,
> > authenticate the local OWA access request in AD (based on
> > NTFS perms), look
> > up the Exchange Server hosting the user's mailbox in AD
> > (global catalog),
> > forward the user's credentials to the Back End Exchange
> > Server required to
> > log on to the BE on behalf of the user, and to finally proxy
> > the web-based
> > data to the end user. You also must be able to log into the
> > FE server to
> > administer the box, obviously.
> >
> > The protocol list required for all of this functionality is
> > as follows:
> > From the OWA FE server in the DMZ Segment to the Domain
> Controllers--
> > DNS
> > Kerberos-Sec (UDP)
> > LDAP
> > LDAP (UDP)
> > LDAP (Global Catalog)
> > Ping (Not required, but helpful)
> > Microsoft CIFS (TCP)
> > RPC (All Interfaces)
> >
> > From the OWA FE server to all BE servers, you must allow:
> > HTTP
> >
> > Note that all manner of NBT traffic requests were attempted,
> > but these are
> > apparently not required when the other protocols are allowed.
> >
> > Now, one may be tempted to have a single rule for DC authentication
> > containing these rules, and a single HTTP rule from the FE to
> > all BE servers
> > on the Internal Network, but that is not how I recommend
> > doing it in a
> > "least privilege" environment.
> >
> > I have a problem with allowing CIFS and RPC from a DMZ asset
> > to my internal
> > Domain Controllers. I also like peanut butter rolled up in a
> > slice of
> > Bologna-- I call it a "trailer park crepe." But I digress.
> >
> > In my tests, CIFS and RPC were only necessary for console
> > logon to the FE
> > asset. If you were logged out of the FE server yet remotely
> > accessed the FE
> > facilities via OWA, CIFS and RPC were *not* required. If the
> > FE thinks it
> > has CIFS and RPC, it will use it for FE functions (in my
> > tests). But if you
> > do not allow it, LDAP, Kerberos-Sec to the DC's and HTTP to
> > the BE's will
> > ultimately be used. The first time a user does this, it
> > takes a bit for the
> > auth to complete, but after that, it's superfly.
> >
> > Given that, I have decided to separate auth into 2 rule sets:
> > One from the FE server to the DC's with all the above minus
> > CIFS and RPC,
> > and one from the FE server to the DC's with CIFS and RPC.
> > The trick is to
> > disable the second auth rule until you need to log on the to
> > console of the
> > FE server. This way, you allow full OWA functionality
> > without having to
> > have evil CIFS and RPC open from that DMZ segment into your
> Internal
> > network.
> >
> > More later.
> >
> > t
> >
> >
> >
> >
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
