"Reverse" proxy available. Any need to put web servers in DMZ ?

TheMSsForum.com: The Microsoft Software Forum

The MSS Forum ‹ Security
- Archive
  - Biz
  - MCSE
  - CRM
  - Drivers
  - Framework
  - ADO
  - ASP
  - Compact
  - Forms
  - Dotnet
  - C#
  - VB
  - FontpageGen
  - Excel
  - WorkSheet
  - Exchange
  - Setup
  - Fox
  - Fontpage
  - ASP
  - IIS
  - Entourage
  - Money
  - Messanger
  - PocketPC
  - Powerpoint
  - Project
  - Publisher
  - Excel
  - VB
  - Security
  - Portal
  - Services
  - SQLServerDev
  - SVCS
  - SQLServer
  - VB
  - VC
  - MFC
  - ExcelGen

- Previous
  - 1
    - Automatically updated? I am running XP2 (Home) with SP2. I have my automatic updates set to download and update automatically. Is this something I should do, or should I have it set to download then notify me to update? The only problem I have with setting it as fully automated is that I don't know how to tell if all the latest updates have in fact been installed, such as the monthly updates. Can someone advise? Thanks! Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72687
  - 2
    - windows media player 9 when I play music with windows media player 9 (I prefer this edition) after about 10 seconds the slider bar on the bottom and the visualizations freeze for about 10 seconds then carry on, sometimes it happens again during the rest of play. I have done a factory refresh, no different also reinstalled W,M,P still no different, is there something wrong with W,M,P or the hardware? Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72685
  - 3
    - New MSSecure.XML Version 2005.06.15.0 Now Available MSSECURE.XML Data Version 2005.06.15.0 (for use by MBSA 1.2 and SMS SUS Feature Pack) was last modified yesterday, June 15, 2005, and is now available for all supported languages (English, French, German and Japanese). Today's release contains NO NEW BULLETINS - but fixes the following data error: MSXML 3.0 incorrectly reporting SP7 as the latest service pack. MSXML 3.0 SP5 is the latest publicly available MSXML 3.0 service pack, although SP7 can be installed on Windows 2000 platforms when SQL Server 2000 SP4 is installed, and can be found on Windows Server 2003 machines. MSXML 3.0 SP7 is not available as a separate download at this time. -- Doug Neal [MSFT] dugn@online.microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights. If newsgroup discussion with experts and MVPs is unable to solve a problem to your satisfaction, feel free to contact PSS for support on the Microsoft Baseline Security Analyzer (MBSA). Information is available at the following link: http://support.microsoft.com/default.aspx This e-mail address does not receive e-mail, but is used for newsgroup postings only. Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72682
  - 4
    - Dicussion on where RADIUS server should be All network diagrams I've seen so far indicates that a RADIUS server (Windows IAS, ACS, or whatever) should be placed in the 'internal' network and establish communications with DC's there. Then if an external user attempts to connect via VPN (DMZ), then I would allow only the ports necessary from the VPN concentrator to the RADIUS server and pre-authenticate users at that point. I have a security guy fellow here that tells me that the RADIUS server should be placed in the "DMZ" instead. Does this make sense at all ? Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72681
  - 5
    - Win32 security limitations: why? Hi, Trying to spawn a process from an impersonated client from within IIS-ASP I came across some (in my opinion) weird behaviour. 1) CreateProcess and ShellExecute both create the new process using the current process-token, yielding in a process running under the IWAM_xxx account. This happens even if the client was an anonymous user! I just don't understand this behaviour. Other operating systems I know will spawn the process from the *current* security context, so under the imporsonated client. Doing it on the MS-way enables anonymous users to create process with a higher security level. Thats a major security risk! Or not? Can someone put some light on it, or point me to more detailed information about why MS implemented security the way thay did? 2) Its even impossible with CreateProcessAsUser() to create the process under the imporsonated account because the SeAssignPrimaryTokenPrivilege must be held (and by default nobody does...) 3) I also needed to load the user hive, so I tried LoadUserProfile(). Also this API needed a privilege: the SeRestorePrivilege. Since the imporsonated user is a "normal" user, it didn't held this privilege, so the account couldn't load its own profile! Why is that? I understand that loading another user's profile is a security risk, but loading your own profile is definitly not. I would like to understand more about the why's. Please help. Thanks a lot. Peter Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72675
  - 6
    - Data decryption EFS Well World here's my problem: I have some very important encrypted data (EFS) that I need to decrypt from my previous system (WinXP Pro). I also have the following files from previous system: C:\Documents and Settings\dorde\Application Data\Microsoft\Crypto\RSA\* ...\SystemCertificates\My\Certificates\* ...\SystemCertificates\My\Keys\* but I don't have, so called, "Master Key". I know all passwords from previous system. So, is there anything I can do? Please, Thanks Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72674
  - 7
    - Visited site history When I click on the address line and type www. and then a letter, several addresses show up that I have not visited. They do not appear in the history when I click on the down arrow. Where are these sites coming from? Are they attached to another site I'm visiting? Or is someone else in my house trying to go to sites they don't want me to know about? Thanks for the help! Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72670
  - 8
    - A virus, or not? I routinely ran spybot and ad-aware, in addition to my AVG virus checker and the on-line virus check with Trend Micro and RAV. None of them detected any malware. Then I installed the MS Antispyware program. It immediately found a Trojan: iteye, located in c:/windows\system32\notpad.exe . It is shown as a high threat level. Why do all these other programs not detect something as obvious as notpad.exe?? -- Walter www.rationality.net - Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72665
  - 9
    - Determine whether an admin is viewing other users mailboxes? Hi all, I am posting this up to the security and exchange groups. Is there a way to determine whether an indivudual who has permissions to open other users mailboxes is actually doing so? For example can you view the outlook profile of the individual in question? or an event log entry? We have a possible abuse of privilege situation but are unsure as to whether this type of behavior can be verified. Any advice is appreciated. Thanks. Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72658
  - 10
    - File Permissions are not inheriting On an SBS2003 server I have the company folder set to allow Users, Administators, System , and Owner Full control over files and directories. These permissions are set to inherit and propogate to child objects. The problem happens when a user creates a new folder from their workstation via a network share. The permissions on this new folder do not inherit chosing to give the user, and administrator control. If I go to the company folder and re-apply the "replace permissions entrons on all child objects" things are reset until the user creates another object. be it file or folder) I don't understand what is going on here as this is not a problem on any of the other servers I manage. Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72653
  - 11
    - Security Log We are trying to log account management and some account logons through the default domain controller gp, but we are unable to get anything to show up in our security log on the pdc, even if we reset the password directly on the server. We have got this to work very easily on our test dc but have no idea why we don't get notifications on our prod dc. Any suggestions? Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72652
  - 12
    - Auditing Whom delete an file or folder. Hi, It is possible and how to set Audit so I can log which user at which workstation delete an file or folder? Thank, S. Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72647
  - 13
    - WInXP SP3 Why not release a SP3 for WinXP that incluldes all the latest updates? Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72646
  - 14
    - Links If you get a link in an email or see one on the forum, what is the best way to tell if the link is safe. How are some ways to check it before clicking on it? Thanks Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72637
  - 15
    - IUSR_WIN2K3 needs "Set Key" and "Create Subkey" permission to read I have an IIS ISAPI Extension running as the Internet Guest Account (IUSR_WIN2K3), and I'm having trouble getting it to read some registry keys. The RegOpenKeyEx() function is able to open the registry fine, but when I do a RegQueryValueEx(), it returns "5" (ERROR_ACCESS_DENIED). I've found that if I assert permissions to "Set Value" and "Create Subkeys", then I AM able to read the value (even if "Query Value" isn't allowed!). If I assert everything except "Create Subkeys", it won't work. etc, etc... I'm completely baffled by this behavior. This is a test development win2k3/IIS6 box that doesn't have any major software installed on it. Any idea what could cause this? Thanks Jason Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72636
  - 16
    - Audit Account Management We have set under our domain group policy to audit success and failure on our account management. We had an instance of someone resetting our domain admin password and don't want it to happen again. But, even after turning on this under our default domain gp and default domain controller gp, we are not getting any messages under our security event log. Anyone have an idea that we have missed? Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72631
  - 17
    - New MSSecure.XML Version 2005.06.14.0 Now Available MSSECURE.XML Data Version 2005.06.14.0 (for use by MBSA 1.2 and SMS SUS Feature Pack) was last modified today, June 14, 2005, and is now available for all supported languages (English, French, German and Japanese). Today's release contains 10 new bulletins, 7 of which are fully supported by MBSA. There are also 3 re-releases for previously released bulletins listed below: June Re-releases 1) MS02-035 (SQL Tool re-release) - there are no vulnerable files to identify, so there is no automated detection for this item. This will appear in MBSA as an MBSA Note Message as it did with the original release (see MS02-035 and KB306460 for details) 2) MS05-004 (ASP .Net re-release) - not supported by MBSA, but supported by February edition of the EST Tool. 3) MS05-019 (TCP re-release)- this patch replaces the original MS05-019 release. Only the patch in today's release is sufficient to resolve this vulnerability; neither the original patch nor the subsequent hot-fix are sufficient to resolve this issue. New June Bulletins 4) MS05-025 (IE Cumulative) - Supersedes MS05-020 for all matching instances (W2003 SP1 is not superseded). 5) MS05-026 (HTML Help) - Supersedes MS05-001, MS04-023 and MS03-044 in all cases; does NOT replace MS02-055 even though files appear similar due to an ACL change that is not present in future updates. 6) MS05-027 (SRV.SYS) - Supersedes MS03-024 for all instances; supersedes MS02-070 for WinXP SP1 instance only. 7) MS05-028 (Web Client) 8) MS05-029 (Exchange 5.5) - Support for all Exchange 5.5 SP4 instances except when Exchange OWA is configured as a standalone IIS application that links to an Exchange installation on another server. For this case, EST must be used (see below) 9) MS05-030 (Outlook Express) - not supported by MBSA. Supported by June EST tool (see below). 10) MS05-031 (MS Interactive Training) - not supported by MBSA. Supported by June EST tool (see below). 11) MS05-032 (MSAgent) 12) MS05-033 (Telnet) - Windows Telnet instances detected by MBSA. Services for UNIX instances of Telnet require June EST tool (see below) 13) MS05-034 (ISA Server 2000) - not supported by MBSA. Supported by June EST tool (see below). ---------------------------- There are a number of technical issues with today's release that may be valuable to enterprise administrators: MSXML 3.0 SP5 and SP7: For customers with MSXML 3.0 SP7 (present on Windows Server 2003 SP1 or installed with SQL Server 2000 SP4) or MSXML 3.0 SP5 - both are now considered acceptable versions for the 'latest service pack' warning in MBSA. This resolves a previous warning that reported "MSXML 3.0 SP7 is installed, SP5 is the latest available service pack for this product." MS05-012 (OLE) and KB894391: MBSA would report a 'greater than expected' warning if the post MS05-012 hot-fix was applied. This has been fixed. MS05-009 (WMP9) and KB892313: MBSA would report a 'greater than expected' warning if the post MS05-009 hot-fix was applied. This has been fixed. ---------------------------- What is the Enterprise Update Scanning Tool (EST)? As part of an ongoing commitment to provide detection tools for complex updates for bulletin-class issues that are not supported by MBSA, a stand-alone tool may be provided for certain bulletins. Microsoft will evaluate the detection and deployment complexity of each bulletin, and provide detection support based on the specifics of each release. When a detection tool is created for a specific bulletin, customers will be able to script running the tool from a command line interface, and process the results using an XML output file. Detailed documentation will be provided with the tool to ensure customers can leverage it quickly. See the following link for details http://support.microsoft.com/default.aspx?id=894193 Additional detection for the 4 bulletins (Services for UNIX instance of Telnet, Outlook Express, Interactive Training, ISA Server 2000) not fully supported by MBSA can be obtained by downloading the June edition of the Enterprise Scan Tool (EST) located at the link above. -- Doug Neal [MSFT] dugn@online.microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights. If newsgroup discussion with experts and MVPs is unable to solve a problem to your satisfaction, feel free to contact PSS for support on the Microsoft Baseline Security Analyzer (MBSA). Information is available at the following link: http://support.microsoft.com/default.aspx This e-mail address does not receive e-mail, but is used for newsgroup postings only. Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72630
  - 18
    - Microsoft Security Bulletin(s) for June 2005 Follow up set to microsoft.public.security June 14, 2005 Today Microsoft released the following Security Bulletin(s). Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details. Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided. Bulletin Summary: http://www.microsoft.com/technet/security/Bulletin/ms05-Jun.mspx Critical Bulletins: Cumulative Security Update for Internet Explorer (883939) http://www.microsoft.com/technet/security/Bulletin/ms05-025.mspx Vulnerability in HTML Help Could Allow Remote Code Execution (896358) http://www.microsoft.com/technet/security/Bulletin/ms05-026.mspx Vulnerability in Server Message Block Could Allow Remote Code Execution (896422) http://www.microsoft.com/technet/security/Bulletin/ms05-027.mspx Important Bulletins: Vulnerability in Web Client Service Could Allow Remote Code Execution (896426) http://www.microsoft.com/technet/security/Bulletin/ms05-028.mspx Vulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks (895179) http://www.microsoft.com/technet/security/Bulletin/ms05-029.mspx Cumulative Security Update in Outlook Express (897715) http://www.microsoft.com/technet/security/Bulletin/ms05-018.mspx Cumulative Security Update in Outlook Express (897715) http://www.microsoft.com/technet/security/Bulletin/ms05-030.mspx Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (898458) http://www.microsoft.com/technet/security/Bulletin/ms05-031.mspx Moderate Bulletins: Vulnerability in Microsoft Agent Could Allow Spoofing (890046) http://www.microsoft.com/technet/security/Bulletin/ms05-032.mspx Vulnerability in Telnet Client Could Allow Information Disclosure (896428) http://www.microsoft.com/technet/security/Bulletin/ms05-033.mspx Cumulative Security Update for ISA Server 2000 (899753) http://www.microsoft.com/technet/security/Bulletin/ms05-034.mspx Re-Released Bulletins: SQL Server Installation Process May Leave Passwords on System (Q263968) http://www.microsoft.com/technet/security/Bulletin/ms02-032.mspx ASP.NET Path Validation Vulnerability (887219) http://www.microsoft.com/technet/security/Bulletin/ms05-004.mspx Vulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks (895179) http://www.microsoft.com/technet/security/Bulletin/ms05-029.mspx This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so. If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary. -- Regards, Jerry Bryant - MCSE, MCDBA Microsoft IT Communities Get Secure! www.microsoft.com/security This posting is provided "AS IS" with no warranties, and confers no rights. Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72629
  - 19
    - AD GetObject fails in ASP page when using smartcard logon Hi, I am having problems accessing Active Directory from VBscript in an ASP web application when it is configured for smartcards using Directory Service certificate mapping. The system scenario is as follows. Server 1 - W2K3 Server as Domain Controller with Active Directory Server 2 - W2K3 Server running IIS 6.0 and Exchange 2K3 Server Client 1 - W2K3 Server as client with CAC smartcard and IE 6 IIS is configured for Directory Service mapping, SSL, "Enable client certificate mapping" and Accept Client certificate. The client uses a CAC smartcard to logon and invokes a Web application on Server 2 via IE 6. Web app on Server 2 loads ASP page using VBScript to call GetObject("LDAP://CN=client1,CN=Users,DC=SERVER1,DC=COM") on User object to retrieve user attributes. GetObject fails with Err.Number = -2147016672 (0x80072020 - ERROR_DS_OPERATIONS_ERROR) In IIS Mgr properties for web app Virtual Directory, select Security/Edit and uncheck "Enable client certificate mapping". Now the user is prompted for username and password and GetObject succeeds. Does anybody have any ideas? PS I am told that if IIS cert mapping is used instead of DS mapping, it works OK. Thanks, MikeC Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72627
  - 20
    - It is patch day (10).... Patch your systems! Thanks Microsoft, -Im Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72626
  - 21
    - June Patches - where are they? it's 8am PST and nothing So, it's June 14th - where are the patches? Does MS release them at a certain time - like 10am PST or something? I'm very very eager to get them today, but I don't feel like sitting here at my browser clicking links and refreshing every 10 min in some hope they released them. Would be nice if there was a specific TIME to go along w/the specific day. Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72624
  - 22
    - Administrator password Hi, We have been told we have to change our Domain Administrator password. Is this as simple as going into A/D and reseting the password or is there more involved. Any advice would be grateful. Thx Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72621
  - 23
    - all in one fax, copier, scanner.........safe? are there any security issues with connecting an all-in-one to a networked machine? ie- is it possible to hack into the device via the phone line and then gain access to the computer~ domain? Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72620
  - 24
    - Compare Security config between two w2k servers Can Security Configuration and Analysis be used to compare two server's security configs? I have created a new database and a blank template file. Using these to load Security Configuration and Analysis and then Analyze Computer Now results in the Database Setting being Undefined and the Computer Setting showing the server's config. Now I want to "save/import/update" the Database Setting with the Computer Setting. Then open this database on another server to "highlight" security config differences. Many thanks Dan Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72619
  - 25
    - Unknown file Does anybody know what this file does? C:\wj2jovma.sys? I've searched google and MS to no avail. I checked properties for the file but that was usless. I'm concerned this is a virus that has gone undetected. Thanks, --Jim -- JPB Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72606
- Next
  - 1
    - Remote Desktop Connection Hello I am currently using "remote desktop connection", I am impressed with the speed and stability of it, but I would like to know if any one has found any serious security issues involved in useing it. Also when two people log on remotley as Administrator, does this drop the account on the machine and drop any programs running. My bussines partner and I both logged on remotley as Administrators and this caused a fatal error and caused the server to reboot. Thank you in advanced for any help offered Adrian :o) Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72604
  - 2
    - MS document encryption I want to ensure that documents passworded by our staff are encrypted with something stronger than the 40-bit encryption provided by default. Accordingly, I have followed the advice given in the MS Office Assistance document "Import Aspects of Password and Encryption Protection" on setting the "DefaultEncryption" registry keys on my PC. Unfortunately, when I run up Word, even after a reboot, it still seems to default to 40-bit encryption, though I can select and use the stronger encryption. How can I make Word default to using the stronger encryption? Martin Taylor Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72603
  - 3
    - Account Lockout threshold Three domain controller: one primary and two backup Member servers (joined same DC) : MServer1, MServer2 All are windows 2000 SP3 servers I want to set account policy in MServer1 and MServer2: Account Lockout duration: Not defined (original) --> 30minutes (new) Account Lockout threshold: 0 (original) --> 5 (new) invalid logon attempts Reset account lockout counter after: Not defined (original) --> 30minutes (new) In MServer, all settings were changed as I expected. However, for MServer2, in "local policy settings --> account lockout threshold", the local setting = 5, the effective setting = 0. In DC, the "Domain Controoler Security Policy", "Domain Security Policy" and "Local Security Policy", the effective setting = not defined I tried to change MServer2 account lockout threshold to 5 in "Local Sercurity Policy", "MMC-->Group policy" and "MMC-->Security Configuration and Analysis", but the effective setting is still = 0 How to set account lockout threshold to 5 in MServer2? Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72595
  - 4
    - missing key/value in registry of w2k server - hot to track it? wi there, Recently I have a problem that the key included the value in registry had been deleted / missing but I can not find why or by who? My question is perharps there is a way to zoom in why it could be happened and how to track the causing of missing key/value in registry. Is there any tools to help it out? Thanks for your help..... Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72592
  - 5
    - IPSEC for scripting Hey can anyone provide an example of how to use IPSEC in a script/commandline between a Win2000 and Win2003 server. I want to create a tunnel so I can use Robocopy between the boxes like I use Rsync and SSH on my linux boxes. I'm new to this so please be descriptive. Thanks! ----------- Anyone who knows everything, leads a pretty boring life Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72587
  - 6
    - Solution for securing VPN/RAS using 2-factor SMS Authentication Hi Everyone, I've developed an IAS plugin, 'MobileKey', that provides 2-Factor Authentication (via SMS) for VPN/RAS networks using Microsoft IAS (Win2k/Win2k3) as RADIUS server. Two authentication modes are supported - Windows password plus SMS access code, and Challenge Password plus SMS access code. Delivering access code by SMS secures the VPN against key-press capture spyware and trojans residing on the client PC. 'MobileKey' is database driven/secured and can comfortably authenticate up to 50,000 users a day with an SMPP connectivity to an SMSC. I'm now looking for beta testers for this plugin to test out on ISA Server and other VPN/RAS equipment, as well as partners interested in reselling this kind of solution out of the box, customized or OEM. 'MobileKey' offers unbeatable value for deployments exceeding 30 VPN users as no hardware key is required - your mobilephone is your key generator! Here's some preliminary information:- SMS Gateway used - VisualGSM Enterprise Server (http://www.visualtron.com/products_enterprise.htm) IAS Plugin Windows Installer with Help file (http://www.visualtron.com/download/mobilekey-radius.exe) SMS delivery mode - GSM or SMPP 3.3/3.4 Please feel free to contact me anytime. Rgds, Joshua Lim Visualtron Software http://www.sms-gateway-software.com Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72582
  - 7
    - Firewall I am unable to connect to the Internet through Musicmatch Jukebox b/c of a firewall that is turned on. I have disabled at least one firewall by opening the security center. I can't figure out how to disable the firewall that's on from a program I've already deleted. As a result, I cannot download music. Please help! Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72575
  - 8
    - Expiring AntiSpyware Hello, i was just wondering about Antispywere it is gonna expire in 10 Days what should i do? Any Answers? Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72572
  - 9
    - Unknown User Logon attempt I'm trying to track down a user logon attempt on one of my servers. W2k AD enviroment Whenever I reboot one of my member server i get an event 681/529. What scares me is that the username attempting to logon is called "secret". I know for sure it's not a domain user account nor a local user account on the server. I'm trying to find more info on this user. I only receive this event when I reboot the server as if it's a service starting up. I don't see any unknown services running on the server though? Any suggestions how to best troubleshoot this? Here's a copy of the event: Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 6/11/2005 Time: 9:10:31 AM User: NT AUTHORITY\SYSTEM Computer: EVANS10 Description: Logon Failure: Reason: Unknown user name or bad password User Name: Secret Domain: Logon Type: 2 Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: "member server" Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 681 Date: 6/11/2005 Time: 9:10:31 AM User: NT AUTHORITY\SYSTEM Computer: member server Description: The logon to account: Secret by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: member server failed. The error code was: 3221225572 Thanks Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72568
  - 10
    - SE caught a trojan or is it misslabeled Hi Spyware Exterminator caught a trojan called "Trojan Win 32 FTP Attack" in the C:\WINDOWS\CREATOR\Remind_XP.exe, file. Now I would normally delete this and move on, however the last time I attempted recovery the error message PRELOAD is missing or corruppted flashed while recovering. The computer got stuck while reloading for about a day or two. I attempted and completed a DESTRUCTIVE RECOVERY, which brings me to the point of having another trojan??? (or legit program labeled as a trojan). I ALSO USED SYSTEM MECHANIC TO DELETE UNNECESSARY FILES -------WHAT DO YOU GUYS THINK?????? -- Thought computing was supposed to be easy. Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72567
  - 11
    - Does we need a dedicated software to guard mIRC? I am a mIRC user and found a software declare dedicated for the security of IRC program! There already have AV and firewall to guard my system. Does I need this IRC dedicated door installed?? bellow is the link of it: http://www.diamondcs.com.au/index.php?page=irclean __ Lecter - "Trust No One!" Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72562
  - 12
    - server 2003 administrator password We have just received a new machine with server 2003 loaded as per our bespoke software suppliers instructions. the machine was configured with turkish as the default language, however, the software we installed required english as the primary language so i changed this in the control panel. After restarting i found that the administrators password is now invalid and after three unsuccessful attempts to log in the machine will no longer boot! Can anyone please offer a technophobe some simple help? Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72560
  - 13
    - Windows Firewall off and indicates on Hello , XP , SP2 , Norton Personal Firewall , Lately when turn off Windows firewall is selected , the Windows Security Center Control Panel indicates 'on .' Is there a solution and fix ? Personal firewall on or off does not affect this behavior . Thank You . -- KD Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72558
  - 14
    - unauthorized access into hotmail account I need some help. I have a case where my client is alleging wrongful termination by his former employer. It seems that his former employer found a way to access his personal hotmail account, thus also accessing information protected by attorney-client privilege. We can't be sure there was unauthorized access. Is there some way to determine if the email was accessed by anyone other than my client? I'm hoping we can do this without a court order or lawsuit, since we hope to resolve this matter out-of-court. Thanks. Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72551
  - 15
    - centralized, multi-OS authentication ? in a mixed environment with mainframes, unix/linux, windows, etc... is there some way to have a centralized authentication server or service that users can authenticate to once ( kerberos ? ldap ? ) and then pass the authentication on to all of the other hosts in the mixed environment ? not sure what the best way to go about this is, but when passwords expire on each host every 90 days its a nightmare to sync all of the new passwords on all of the different machines. tia for any help or guidance on this one ... Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72550
  - 16
    - Alternative Login Methods/Security Devices/Smart Cards Hi I'm wondering if anyone out there has any experience with this. I have a complex password scheme applied to my domain and I have a user who has issues remembering complex passwords. This user is important enough that I find an alternate solution without removing my password policy. Has anyone had any experience with this, or any suggestions on what route to go? Thanks in advance! Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72548
  - 17
    - OneCare Beta Program If anyone out there would like to help out with Microsoft's OneCare solution and has some time (and resources) to spare, go to the following link and nominate yourself for the OneCare beta program: http://beta.windowsonecare.com/betaentry.aspx Please Note: This is a BETA and things can go wrong, if you are not prepared to provide balanced beta feedback or, potentially, do a complete system restore please do not nominate yourself. I have been running it for about a week on a number of computers and for the most part I am quite impressed, it is simple and effective. BB Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72547
  - 18
    - ms02-039 i have xp-pro, am a home user, not running a server, my question is why do i keep getting hit with stuff like ms02-039, this is the last one to occur, been happening for a while now, im thinking that , perhaps, i downloaded the wrong updates form microsoft, if so, yall know of any way i can find out, so i can delete it? im a newbie , dont know much about digging around in the system, thanks Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72546
  - 19
    - Certificate Autoenrollment Hoping someone might be able to enlighten me on this subject and correct any assumptions I am making that might be wrong. Thanks in advance. When you set up your CA you can specifiy in the capolicy.inf file which pki services you wish to provide to users/computers. Some of these, such as basic EFS and Domain Controller, are set up for autoenrollment by default as defined in group policy. This is fine, except for when you want to limit who/what can request the certificates. I have both basic EFS and Domain Controller certificates being issued. I don't want to implement these certificates yet and wish to controll the requests which are building up in my pending queue. I was able to modify the Autoenrollment setting in Group Policy for my Win2003 Domain Controllers to stop them from requesting certificates, but the Win2000 DCs are still requesting and I have not found where the setting in group policy is to controll this. I can also remove this template from the certificate store, but I read a warning that once removed you cannot issue certificates based on the template anymore. Not sure if this simply meant that a custom template definition would not be available as I can't see any restriction that would keep me from adding it back in after I removed it. This brings up the question, "Am I being a paranoid control freak." Should I just allow the domain controllers to request their certificates even though I have not implemented anything yet based on those certs. Just a bit confused why MS would asssume this how an admin would want the default behavior. Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72544
  - 20
    - Require connecting systems to be a Domain Computers Does anyone know how to prohibit computers from connecting to a Windows 2003 Server share unless the system they are connecting from is a member of the domain. I a few "power users" and developers who keep removing their systems from the domain, and just connecting to the server by browsing and using their domain credentials. These users need to be able to add computers to the domain, as they reinstall Windows often to test stuff on a clean machines. If I don't allow them to connect to the file server unless their system is a part of the domain, that will solve the problem. I feel that this should be such an obvious thing to do, but I have yet to see any information on how to do this. Kevin Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72542
  - 21
    - Total protection for your software against crack EXECryptor reaches version 2.1.21 Software piracy! Cracked serial numbers! Thousands of commercial products are posted on the warez sites and become available to all every day! Companies lose millions of dollars every year to software piracy, and faulty protection programs. Shareware developers look for unbreakable protection for their products and create some protection themselves or try many of the ready-made tools. Unfortunately most tools have already been cracked, and self solutions often only take one determined cracked a few hours to bypass. As a result they soon find the stoles keys and product cracks on thousands of hacker Internet pages. No solution ? Well there is It is time to turn to the uncrackable, time tested, EXECryptor protection product. EXECryptor is a powerful, software tool that allows developers to significantly increase software protection from reverse engineering, analysis and modifications. Its main difference from other protection tools is its brand new metamorphing code transformation technology. With EXECryptor the protected code block is not just packed or obfuscated like many other packers, but also disassembled into nondeterminate transformations, effectively scrambling the visible logical code structure and making it impossible to reverse. After the code transformation, it remains executable and working as it is supposed to but it cannot be analysed, modified, or circumvented. It is not just a question about code encryption but also code transformation. You can optionally wrap additional parts of your code, at a source code level, in special flags which then transform into virtually impossible code to trace, crack, or bypass. Protected code blocks are never decrypted during execution they remain in their transformed code state. Code restoration becomes an NP-hard problem. EXECryptor has the innovative very powerful antidebug, antitrace and import protection features to stop the latest cracking software. EXECryptor allows to use short registration keys of 12/16 characters long, based on a new generation of our HardKey algorithm, cryptographically strong ultrashort digital signature. The power of software protection with EXECryptor is proved out in practice: despite numberous cracking attempts and challenges, the EXECryptor's 2.x series has not been cracked since its inception in July of 2004. In addition to its advanced protection features, EXECryptor allows you to compress the code and resources of your application. EXECryptor is able to protect any 32bit PE executable file (exe, dll, bpl, vxd, wdm). It has been tested with W95/98/ME/2000/NT/XP/2003. SDKs are available for Delphi, C++Builder, Microsoft Visual C++, LCC, PellesC, Visual Basic, PowerBASIC and PureBasic. What's new in this version : - added SDK's and examples for support LCC, PellesC, PowerBASIC and PureBasic - added new option: Delay DLL loading - improved: wmvare/virtualpc/wine compatible mode - improved: protection from inline patching - improved: antidebug protection EXECryptor is distributed electronically over the Internet; free trial version is available at http://www.strongbit.com for evaluation. The price of a single copy is 135.00 US Dollars / 99 EUR. There are significant discounts available for multiple purchases and site license buyers (starting at as few as 5 copies). * Operating system: Windows 95, 98, ME, NT, 2000, XP, 2003 * RAM: 32 Mb * Hard Disk: 2.5 Mb Product Page: http://www.strongbit.com/execryptor.asp Download: http://www.softcomplete.com/download/execryptor.zip Buy Link: http://www.strongbit.com/order.asp Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72535
  - 22
    - SQL2K WIN2K3 CONNECTION SECURITY This question got rejected from the SQL Server group, but i'll try here as it relates to security. I moving an old SQL Server-backend-IIS5/ASP-fronte=AD=ADnd application to servers with windows 2003 standard edition. One server will run the database the other will run IIS 6.0. Note that i haven't set-up a domain, which i think requires one machine to be domain controller which would decrease performance and stuff. I've simply put them on the same group. I wan't to restrict access to the sql server so only the incomming connection from the webserver is allowed. I can use either named pipes(which should be the fastest protocol) or tcp(which should be slight slower than named pipes) but I seem to have a problem. If I use named pipes to connect, the IUSR(the user under which IIS is running) must have access-rights to IPC$ share on the sql server. I can't seem to set any access-right directly for IPC$ share, but I can reactivate my guest user and then it works, but then everyone can now access the ipc$ share so it's not really what i'm looking for. I can also connect through TCP( and set up some kind of filter only allowing incomming connections on port 1433 from the ip of the web server. But i don't know how to do this. I've taken a look at the IPSec stuff but it's all about kerberos authentication and other bull which i don't think i need. What i need is a simply ip port filter, which does nothing else but reject incomming connections to sql server on port 1433 originating from any other ip's than my webserver. My question is how do I do this? Do i need to have a additional "firewall" service running and, if so, how much extra overhead will this create for the sql server. Alternately, is it possible to change the access rights for the IPC$ share manually? Thanks in advance for any input you might have on this? Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72533
  - 23
    - Certificate Authority services on W2k forest I want to setup an internal CA to deploy 4 certificates to our users (even though our total user count in this company is 5000). We do not have any major plans to deploy additional certs for others. Question: Can i just install CA on a domain controller? MS' best best practice is to use a 2 tier/3 tier method and NOT INSTALL CA on a DC. But in our situation, we just need it to do a fast deployment. Deploying CA on 3 servers just dont' justify the cost. Let me know what the drawback is by installing it on a domain controller. Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72521
  - 24
    - How to allow certain users to restart a service on W2K3 serves? I would like to enable a group of users to only be able to restart the Print spooler service. (Don't want him to have any additional rights). I don't want them to have administrators priviledges either. How do we enable this? Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72515
  - 25
    - Using Cacls I am trying to use Cacls to add Domain Users to numerous folders within a folder and can not seem to get it to work. Can it be done on a server cacls /T /E /G domain users:F c:\testfolder\*.* Can someone help me with the syntax Many Thanks Tag: "Reverse" proxy available. Any need to put web servers in DMZ ? Tag: 72514

This is the discussion here:
I have ISA 2004 setup as a workgroup in the DMZ successfully publishing my
OWA 2003.
I have a web server (win2003, IIS6.0) that pulls data from a SQL 2000 db.
Such web server is currently in the "internal" network. Web server requires
no authentication.

In my view it makes more sense keep such web server as is in the internal
network and publish it via "ISA" to take advantages of HTTP filters and
other things ISA offers.

Instead, do you see any advantage security wise of moving such webserver to
the DMZ instead ? That will require a whole in the firewall to allow traffic
to the SQL db which resides in the internal network.

If you can help, advise on pros and cons of placing such web server in the
DMZ instead of keeping ISA->Web server(Internal).

Top

Re: "Reverse" proxy available. Any need to put web servers in DMZ ? by Phillip

Phillip
Thu Jun 16 14:41:21 CDT 2005

"Marlon" <marlon-nospam@hotmail.com> wrote in message
news:OD0MxNqcFHA.2420@TK2MSFTNGP12.phx.gbl...
> In my view it makes more sense keep such web server as is in the internal
> network and publish it via "ISA" to take advantages of HTTP filters and
> other things ISA offers.

You just answered your own question.

> That will require a whole in the firewall to allow traffic
> to the SQL db which resides in the internal network.

You just answered your own question,...again.

Leave it on the LAN.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Top