Re: Flag for public AD integrated zones

---

• From: "Herb Martin" <news@xxxxxxxxxxxxxx>
• Date: Mon, 2 May 2005 23:53:19 -0500

---

"merc" <merc@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F651A2F8-B5EB-4F74-9FBD-9CDC8B291C77@xxxxxxxxxxxxxxxx
> "Herb Martin" wrote:
> > Your are really going at this the hard way -- and
> > very insecure to be exposing a DC on the Internet.
>
> What is hard (difficult) about it? I don't see exposing port 53 as being
> insecure at all.

You are exposing the DC to whatever weakness or bugs
are found in the DNS services.

Perhaps there are none, but you are trusting that none
will ever be found in the future.

E.g., Buffer overflows from crafted packets let's say.

> To make any changes to the server (DC), the RPC ports must
> be available. Since they are not, security is not an issue.

In theory neither is IIS but how many buffer overflows and
other hacks has that service experienced.

> However, I know
> thousands of companies that have port 80 of their Exchange Servers exposed
to
> the Internet.

And that is a poor practice also. The more such ports
you expose from a critical server, Exchange or DC the
more chances you take.

> That is a security risk and has lead to several corporate LANs
> being hacked.

Also note the difference with a DC: IF there ever is a DNS
exploit and it loses your DC, this means you have perhaps
lost your ENTIRE domain, maybe the entire forest.

It is much better to put SMTP, DNS and such on "sacrificial
hosts" -- if they are lost, you merely restore from backup or
re-install.


.

---

• References:
  • Flag for public AD integrated zones
    • From: merc
  • Re: Flag for public AD integrated zones
    • From: Herb Martin
  • Re: Flag for public AD integrated zones
    • From: merc
  • Re: Flag for public AD integrated zones
    • From: Herb Martin
  • Re: Flag for public AD integrated zones
    • From: merc
  • Re: Flag for public AD integrated zones
    • From: Herb Martin
  • Re: Flag for public AD integrated zones
    • From: merc

• Prev by Date: Re: Newbe - Which comes first, the Registrar name or the NS.COMPANY.CO
• Next by Date: Re: Domain Controller Stops Processing All Login Requests Randomly
• Previous by thread: Re: Flag for public AD integrated zones
• Next by thread: Re: Does this error occur with clients using ISP DNS servers?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Flag for public AD integrated zones ... > very insecure to be exposing a DC on the Internet. ... I don't see exposing port 53 as being ... (microsoft.public.windows.server.dns) Re: Change NAT Settings for Option iCON 225? ... Putting a computer on Open NAT means exposing it with all the port ... opened to the Internet. ... (microsoft.public.windowsxp.network_web) Re: Internet Security Warning! ... If you are currently using internet, chances are that your IP address ... You can know your IP address and Port here. ... My *port* is insecure! ... (sci.crypt) Re: Internet Security Warning! ... If you are currently using internet, chances are that your IP address ... You can know your IP address and Port here. ... My *port* is insecure! ... (sci.crypt) Re: Internet Security Warning! ... If you are currently using internet, chances are that your IP address ... You can know your IP address and Port here. ... My *port* is insecure! ... (sci.crypt)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.dns  > 2005-05