Well ISA2004 firewall service is now running under limited "nt authority\NetworkService" opposite to local system in isa2000 So there are/have been concerns ... Sometimes security planning is about imagine unimaginable... visualizing things which u don't have yet prove of concept as hacking is about laying things in way they been never thought of. -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Tuesday, December 21, 2004 12:28 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: isa 2004 authnticated http://www.ISAserver.org Hi Yossi, I hear this type of reasoning from security "wonks" all the time. "For security reasons" means nothing. That's why I ask for specific, exact, reproducible and replicable reasons for not making the ISA firewall a member of the domain. If someone breaks into the firewall to the extent where they can leverage the ISA firewall's domain membership to launch an attack, then what advantage will they have if the firewall is not a member of the domain? If you're firewall is "owned" to that extent, then whether the machine is a domain member is immaterial. That's how I see it. However, if there are specific, reproducible reasons, that I can demonstrate in my own lab (and the scenarios can't be based on gross misconfiguration, which again, is a security issue regardless if the ISA firewall is a member of the domain), then I'll change my position on this. To this point in time, and I've button-holed a lot of security wankers on this, no one has been able to demonstrate why the ISA firewall as a domain member is a security issue, other than saying "it's a security issue". I was one of those wanks myself at one time, but someone asked me to demonstrate the security issue. I couldn't demonstrate it, which made me rethink the issue and realize the security benefits of making the ISA firewall a member of the domain far outweight the theoretical and perhaps fantastical reasons for not making the ISA firewall a domain member. HTH, Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls This mail was checked for viruses by GFI MailSecurity. GFI also develops anti-spam software (GFI MailEssentials), a fax server (GFI FAXmaker), and network security and management software (GFI LANguard) - www.gfi.com