[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] DMZ W2K dom
Hi, I'm still waiting your comments, really ... --- Skar <[email protected]> wrote: > Hi, > I am evaluating to implement a new W2K domain for > DMZ > machines, and need some advice. > There are some reasons/issues including advantages > and disadvantages: > * There are more than hundred of machines located > within the DMZs. > * There is a need for proper update mechanism of > servicepacks and fixes. > * Users are locally managed/administered within > these > machines, thefore one needs to properly secure these > user-names and passwords for hundreds of machines. > (and enforce some security settings) > * For DMZ, u need to manually manage users. > * One can not know that if the application > programmer > or developer is using his user-id to logon or > running > the applications. > * There are no profiles within the systems. > * Different developers or application managers can > not > be grouped. > * Sec. Administrators or security operators can make > mistakes for individually managing the PCs. > * Centrally logging/reporting/alarming. > * Some deliberate or urgent actions can?t be taken > within the individual macs. > -- There?s a security risk associated with W2K > domain > installation. Hence, there?s no trust of this > DMZdomain with any other domain. > -- If the W2K domain is comprimised there?s a big > big > risk.. > -- Related ports need to be opened within the DMZs. > -- To decrease the security, u can put the ADS DCs > within the DMZs. However, by placing DCs to DMZ, > servers located with the DMZ of other firewalls may > have access problems. > -- Extra HW/SW investment including redundant/backup > DCs. > -- Some applications security need to be harvested. > -- Virus/vandal risk as for the open ports. > -- General security belief, ?never open the ports > for > smb? > > > > ===== > ------------ > Sick Boy > > __________________________________ > Do you Yahoo!? > The New Yahoo! Shopping - with improved product > search > http://shopping.yahoo.com > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= ===== ------------ Sick Boy __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|