-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
Sent: Monday, December 05, 2005 9:37 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Updates from the Least Privilege Front
http://www.ISAserver.org
Just in case I forget (since we have been discussing FE
Exchange Servers in
a DMZ Segment) here is the skinny on the least privilege
rules required to
support the functionality outlined in Shinder's List.
A Front End Exchange Server must verify a remote user's logon
request,
authenticate the local OWA access request in AD (based on
NTFS perms), look
up the Exchange Server hosting the user's mailbox in AD
(global catalog),
forward the user's credentials to the Back End Exchange
Server required to
log on to the BE on behalf of the user, and to finally proxy
the web-based
data to the end user. You also must be able to log into the
FE server to
administer the box, obviously.
The protocol list required for all of this functionality is
as follows:
From the OWA FE server in the DMZ Segment to the Domain Controllers--
DNS
Kerberos-Sec (UDP)
LDAP
LDAP (UDP)
LDAP (Global Catalog)
Ping (Not required, but helpful)
Microsoft CIFS (TCP)
RPC (All Interfaces)
From the OWA FE server to all BE servers, you must allow:
HTTP
Note that all manner of NBT traffic requests were attempted,
but these are
apparently not required when the other protocols are allowed.
Now, one may be tempted to have a single rule for DC authentication
containing these rules, and a single HTTP rule from the FE to
all BE servers
on the Internal Network, but that is not how I recommend
doing it in a
"least privilege" environment.
I have a problem with allowing CIFS and RPC from a DMZ asset
to my internal
Domain Controllers. I also like peanut butter rolled up in a
slice of
Bologna-- I call it a "trailer park crepe." But I digress.
In my tests, CIFS and RPC were only necessary for console
logon to the FE
asset. If you were logged out of the FE server yet remotely
accessed the FE
facilities via OWA, CIFS and RPC were *not* required. If the
FE thinks it
has CIFS and RPC, it will use it for FE functions (in my
tests). But if you
do not allow it, LDAP, Kerberos-Sec to the DC's and HTTP to
the BE's will
ultimately be used. The first time a user does this, it
takes a bit for the
auth to complete, but after that, it's superfly.
Given that, I have decided to separate auth into 2 rule sets:
One from the FE server to the DC's with all the above minus
CIFS and RPC,
and one from the FE server to the DC's with CIFS and RPC.
The trick is to
disable the second auth rule until you need to log on the to
console of the
FE server. This way, you allow full OWA functionality
without having to
have evil CIFS and RPC open from that DMZ segment into your Internal
network.
More later.
t
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
