Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] DMZ W2K dom

To: [email protected]
Subject: [FW-1] DMZ W2K dom
From: Skar <[email protected]>
Date: Tue, 21 Oct 2003 07:35:49 -0700
Comments: To: [email protected]
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hi,
I am evaluating to implement a new W2K domain for DMZ
machines, and need some advice.
 There are some reasons/issues including advantages
and disadvantages:
* There are more than hundred of machines located
within the DMZs.
* There is a need for proper update mechanism of
servicepacks and fixes.
* Users are locally managed/administered within these
machines, thefore one needs to properly secure these
user-names and passwords for hundreds of machines.
(and enforce some security settings)
* For DMZ, u need to manually manage users.
* One can not know that if the application programmer
or developer is using his user-id to logon or running
the applications.
* There are no profiles within the systems.
* Different developers or application managers can not
be grouped.
* Sec. Administrators or security operators can make
mistakes for individually managing the PCs.
* Centrally logging/reporting/alarming.
* Some deliberate or urgent actions can?t be taken
within the individual macs.
-- There?s a security risk associated with W2K domain
installation. Hence, there?s no trust of this
DMZdomain with any other domain.
-- If the W2K domain is comprimised there?s a big big
risk..
-- Related ports need to be opened within the DMZs.
-- To decrease the security, u can put the ADS DCs
within the DMZs. However, by placing DCs to DMZ,
servers located with the DMZ of other firewalls may
have access problems.
-- Extra HW/SW investment including redundant/backup
DCs.
-- Some applications security need to be harvested.
-- Virus/vandal risk as for the open ports.
-- General security belief, ?never open the ports for
smb?



=====
------------
Sick Boy

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] DMZ W2K dom
  - From: Skar <[email protected]>

Prev by Date: Re: [FW-1] AW: [FW-1] How to disable "local interface address spoofing" logg ing?
Next by Date: Re: [FW-1] AW: [FW-1] How to disable "local interface address spoofing" logg ing?
Previous by thread: Re: [FW-1] AW: [FW-1] How to disable"local interface address spoofing" logg ing?
Next by thread: Re: [FW-1] DMZ W2K dom
Index(es):
- Date
- Thread