Network Security

Hi,

I'm doing some work for a company that has an MS network where their
firewall is a Cisco 800 device. The company public website sits on a server
that is also a windows 2000 domain controller and the exchange 2000 server
for the internal domain. There is a security need to keep internal patent
documents secure (they reside on a file server on the internal domain not
accessible directly by the public).

I know the configuration has security issues and want to address those,
especially as Exchange is going to be upgraded to 2003 and it's not
recommended it be on a DC. The hard part is I need good reasons for
management to accept that change is required. Can someone point me in the
direction of some white papers or articles on potential issues we could
encounter with the current design?

Any help would be greatly appreciated.

Thanks
Peter

Lanwench
Wed Nov 22 09:10:32 CST 2006

In news:E96624F6-709F-4565-9F47-0E801A5E314E@microsoft.com,
Peter Haase <PeterHaase@discussions.microsoft.com> typed:
> Hi,
>
> I'm doing some work for a company that has an MS network where their
> firewall is a Cisco 800 device. The company public website sits on a
> server that is also a windows 2000 domain controller and the exchange
> 2000 server for the internal domain. There is a security need to keep
> internal patent documents secure (they reside on a file server on the
> internal domain not accessible directly by the public).
>
> I know the configuration has security issues and want to address
> those, especially as Exchange is going to be upgraded to 2003 and
> it's not recommended it be on a DC. The hard part is I need good
> reasons for management to accept that change is required. Can someone
> point me in the direction of some white papers or articles on
> potential issues we could encounter with the current design?
>
> Any help would be greatly appreciated.
>
> Thanks
> Peter

OK - so, you probably know all this, and your management doesn't. It's hard
for me to think of official documentation outlining exactly *why* this is an
incredibly stupid thing to do, because, well, it seems a bit obvious - kind
of like asking "How do I keep my apartment from from being robbed, while
still leaving my door unlocked?"

Attacks on port 80 are commonplace, and even with a fully patched Windows
box you're seriously asking for trouble, especially in versions prior to
2003. (I don't even allow Internet access to OWA unless I force SSL on it.)
Exposing your domain controllers, Exchange servers, even regular file/print
servers, to the Internet like this is foolhardy - one hack/exploit, and
you're toast.

A web server should do nothing else - and it should not be on your
company's LAN at all, but on an isolated network. [Heck, maybe it shouldn't
even be a Windows or IIS box.]

If your company doesn't have the infrastructure or budget to properly host
the website themselves even in a DMZ (which seems possible given the
configuration they've got now), they should look into third party webhosting
services, as these have become incredibly affordable. A good hosting company
has racks of servers in a datacenter with redundant Internet connectivity,
power conditioning, monitoring, and so forth....and they can afford to
provide service to a lot of companies at a reasonable price due to volume.

I'd want to ask your management why they think it's a good idea to maintain
the current configuration, and make *them* justify it - especially given
that they've acknowleged that their data is incredibly sensitive.



[Note that Exchange really shouldn't be installed on a DC at all, in *any*
version - although it can work that way. Just never ever ever run dcpromo
on a box already running Exchange, to promote or demote it. ]

Ian
Wed Nov 22 11:01:02 CST 2006

If you want to host a website internally, then Linux/Apache is the sensible
answer. Even t hen it's one of the higher-risk activities, and so should be
in a DMZ.

Bogwitch
Wed Nov 22 11:14:39 CST 2006


"Ian" <Ian@discussions.microsoft.com> wrote in message
news:FA3882F7-E157-4B61-83EB-D6E248DB4BB8@microsoft.com...
> If you want to host a website internally, then Linux/Apache is the
sensible
> answer. Even t hen it's one of the higher-risk activities, and so
should be
> in a DMZ.

Ian,

Let me start by saying I am in no way a Microsoft evangelist.

Whilst I understand your recommendation of Linux/ Apache, it is not
always the best choice. If the in-house IT team have no experience of
using Linux, the chances that the system will soon become an unpatched,
festering pile of dung, to be rooted by the next script-kiddie, are
fairly high.

Corporate IT skills still tend to be largely Microsoft biased and a
patched Microsoft box will be more secure than an unpatched Linux box.

Bogwitch.

PS. If security is your aim, wouldn't a variant of BSD be better than
Linux?

Ian
Thu Nov 23 03:48:02 CST 2006


"Bogwitch" wrote:

> Corporate IT skills still tend to be largely Microsoft biased and a
> patched Microsoft box will be more secure than an unpatched Linux box.

That is a point, though IMLI getting Linux webservers to work is actually
much easier than getting Windows webservers to work, especially when it comes
to database backends, etc. And I'm no linux guru.

>
> PS. If security is your aim, wouldn't a variant of BSD be better than
> Linux?

Yes.

The main point with any webserver is to regard its regard its data as
expendable in the event of it being compromised. (Think:Backup) That, and to
ensure that it has no file-sharing or RPC/DCOM access to other computers, so
that if compromised it cannot be used as a means to attack the LAN.

Roger
Wed Nov 22 22:52:30 CST 2006

"Peter Haase" <PeterHaase@discussions.microsoft.com> wrote in message
news:E96624F6-709F-4565-9F47-0E801A5E314E@microsoft.com...
> Hi,
>
Hello

> I'm doing some work for a company that has an MS network where their
> firewall is a Cisco 800 device. The company public website sits on a
> server
> that is also a windows 2000 domain controller and the exchange 2000 server

ouch !

> for the internal domain.

one could argue whether there is an internal or just a perimeter/edge
domain.

> There is a security need to keep internal patent
> documents secure (they reside on a file server on the internal domain not
> accessible directly by the public).
>

well, at least there is a server other than just the dc . . .

ps.
the juxtiposition of terms is arguably optimistic in
> . . . internal domain not accessible directly by the public).

> I know the configuration has security issues and want to address those,

:-)

> especially as Exchange is going to be upgraded to 2003 and it's not
> recommended it be on a DC. The hard part is I need good reasons for
> management to accept that change is required. Can someone point me in the

have you asked them whether they want and internal domain? (doh - :) seems
overly simple to state)

> direction of some white papers or articles on potential issues we could
> encounter with the current design?
>

find some dmz or screened network designs in basic block diagram,
you know, little storage boxes in the couple regions separated from
the cloud - then ask: you want to store your jewels here (boxes along
the edge) or in here (screened internal boxes).

I don't mean to sound pedantic. Others so far seem also hard-pressed
to point to a doc, rather than a body of practices. Perhaps this is as
it's such a basic first step. To separate them from us, external from
internal, one draws a line with technologies. One uses the newly
separated internal. One does not mearly use the line.

> Any help would be greatly appreciated.
>
Sorry the lack of a link, but you are welcome to forward this :)

Roger