Re: Firewall between DC and member servers

for the DC talk it is ALL or NOTHING. You CANNOT give control to someone
for just ONE DC (will change in Longhorn however with the introduction of
RODCs)

I feel that you're not talking the same language here. I already told you
that you CAN allow to a especific group to perform only certain tasks only
in one DC.


--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Jorge de Almeida Pinto [MVP]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message
news:epRxAUUlGHA.3688@xxxxxxxxxxxxxxxxxxxxxxx
for the DC talk it is ALL or NOTHING. You CANNOT give control to someone
for just ONE DC (will change in Longhorn however with the introduction of
RODCs)

I also think: is it worth it? (concerning the firewall thing) In this case
NO (my opinion)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:uOuE6PUlGHA.3776@xxxxxxxxxxxxxxxxxxxxxxx
Yes, I'm pretty sure that in your situation were you defend that it's ALL
or NOTHING, then all your computers are locked in a room without any
connection to any network were no one have access to them, making them a
big investment without any use, no web servers no exchange servers, etc.






--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Jorge de Almeida Pinto [MVP]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message
news:uCIg0YTlGHA.2128@xxxxxxxxxxxxxxxxxxxxxxx
youcan talk about REAL security and FAKE security... I call this fake
security

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Jorge de Almeida Pinto [MVP]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message
news:eeh6CTTlGHA.508@xxxxxxxxxxxxxxxxxxxxxxx
the little gain of security you are talking about does not weight
against the management of that stuff...
I have seen situation where a FW in time became more and more open it
looked like swiss cheese. in those cases your security is broken down
for each open port and from some point on it is not even worth having a
FW.

well...

whatever...
I'm don't agree doing this and you do.
two opinions athat dont match...


--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:%23g%230MJTlGHA.4212@xxxxxxxxxxxxxxxxxxxxxxx
Once again you're saying that there's no point to have FW between DC
and member servers as stated in the original post.

Once again you're wrong.

Already told you that in some specific situations, security can be
increased, although is almost impossible to have 100% security, you
can make it better, and I rather do something to increase security
than doing nothing.

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Jorge de Almeida Pinto [MVP]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in
message news:%23MlwyySlGHA.5108@xxxxxxxxxxxxxxxxxxxxxxx
ok... lets go back to what I said:
"putting a firewall between DCs and servers/clients or swiss cheese
is practically the same"

I'm NOT talking between DCs (which can be realized with several
configs like preferred BHs, or manual COs and static ports for AD and
SYSVOL), but between servers/clients. The latter means opening up a
crap load of ports!

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:eQ$O1vSlGHA.1640@xxxxxxxxxxxxxxxxxxxxxxx
????

What I'm trying to say to you is that in some situations you need to
open FW for replication or any other traffic occurs


--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Jorge de Almeida Pinto [MVP]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in
message news:%23d8juxRlGHA.4172@xxxxxxxxxxxxxxxxxxxxxxx
don't return the question, please answer it

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)-->
http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers
no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:OsL06fLlGHA.5072@xxxxxxxxxxxxxxxxxxxxxxx
Well, did you already try to setup a Branch Office in ISA server
without configuring FW rules...? Try that without configuring
Network rules or Firewall rules and you see what happens.


--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Jorge de Almeida Pinto [MVP]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in
message news:eJf3lXLlGHA.1600@xxxxxxxxxxxxxxxxxxxxxxx
please explain...

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory
Services

BLOG (WEB-BASED)-->
http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers
no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:OtOVAQLlGHA.2304@xxxxxxxxxxxxxxxxxxxxxxx
putting a firewall between DCs and servers/clients or swiss
cheese is practically the same



Sorry, not necessarily true.


--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Jorge de Almeida Pinto [MVP]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in
message news:%23sIAihKlGHA.4284@xxxxxxxxxxxxxxxxxxxxxxx
putting a firewall between DCs and servers/clients or swiss
cheese is practically the same

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory
Services

BLOG (WEB-BASED)-->
http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)-->
http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and
confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"lightcap" <lightcap@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:60325635-31B8-4E00-B789-2F38B76A7056@xxxxxxxxxxxxxxxx
I'm checking packet traces to see what goes on between a DC
and a member
server since we will have a firewall in between. There are a
couple things
that are not mentioned in KBs and white papers I've read.
Primarily there are
a lot of RPC calls. What are they likely to be? White papers
say they are
necessary for DC replication but do not mention them for DC to
member
communication. There are also pings which I believe are
related to SMB on
port 445. I gleaned that nugget while playing with Windows
Firewall. What
happens if there is no reponse to the pings? Will SMB fail?
TIA


























.

Relevant Pages

  • Re: Firewall between DC and member servers
    ... the little gain of security you are talking about does not weight against ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... * This posting is provided "AS IS" with no warranties and confers no rights! ...
    (microsoft.public.windows.server.active_directory)
  • Re: Firewall between DC and member servers
    ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... * This posting is provided "AS IS" with no warranties and confers no ...
    (microsoft.public.windows.server.active_directory)
  • Re: Export Passwords from AD
    ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... * This posting is provided "AS IS" with no warranties and confers no rights! ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD Groups
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Always test ANY suggestion in a test environment before ...
    (microsoft.public.windows.server.active_directory)
  • Re: how to rebuilt/recreate Global Catalog server?
    ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... * This posting is provided "AS IS" with no warranties and confers no rights! ...
    (microsoft.public.windows.server.active_directory)
Loading