Re: OK, I'm sold on SBS2003 now
- From: "Peter Foldes" <okf22@xxxxxxxxxxx>
- Date: Sat, 17 Sep 2005 08:27:33 -0400
I would not put SQL in there
--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
"Leythos" <void@xxxxxxxxxxx> wrote in message news:MPG.1d95cb81210e9d4198a0a4@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> In article <OnAM1V0uFHA.3256@xxxxxxxxxxxxxxxxxxxx>,
> lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx says...
>> > We would make the SQL server a DC if we could only have the above - in
>> > the case of Exchange, it would be in it's own domain and sit in a real
>> > DMZ network - no authentication between the Exchange server and the LAN
>> > servers.
>>
>> I wouldn't do that - what's the point of putting Exchange in its own domain?
>> and in the DMZ? I wouldn't do this.
>
> Think about it - if your exchange server works, in order for it to work
> you are most likely providing SMTP and SSL access from the Internet -
> providing your using a single Exchange server.
>
> With SMTP and SSL exposed, you have a hole that can be attacked. While
> I've never seen SSL cracked inbound, it's still a exposed path. SMTP,
> well, I've seen people try that one daily.
>
> Keep in mind, I'm talking about a real DMZ, not one of those fake SOHO
> router DMZ where it's just an IP in the same network as the LAN.
>
> When it comes to most secure networks I always do a separate Exchange
> server in the DMZ and set the passwords on the accounts to something
> strong, and I don't let the users manage the passwords.
>
> By keeping the Exchange server in it's own domain, and controlling
> passwords, there is little chance that a compromised server can
> automagically authenticate with any of the LAN servers.
>
> Oh, and with the RCP rules and such in the firewall, the Exchange server
> can only have a connection to the hosts in the LAN if the LAN systems
> initiate it first. This means that a compromised exchange server can't
> reach the LAN on it's own, has no security accounts where the user/pwd
> match anything in the LAN, and is accessible to users outside the
> company over SSL.
>
> Don't tell me how hard it is to manage, it takes about 5 minutes to
> create the email account for a new user, and that's if I'm working slow.
> We manage installations with hundreds of exchange users setup like this,
> so I can assure you that it's painless.
>
> We also do other things with the Exchange server, we filter the SMTP
> inbound session, remove bad headers, remove attachments (based on type),
> remove messages with attachments of a size > xyz, etc... All at the
> firewall before it hits the SMTP server.
>
>
> --
>
> spam999free@xxxxxxxxxx
> remove 999 in order to email me
.
- References:
- Re: OK, I'm sold on SBS2003 now
- From: Lanwench [MVP - Exchange]
- Re: OK, I'm sold on SBS2003 now
- Prev by Date: anyone running 'Kodak Dental imaging'
- Next by Date: Re: how do I recover deleted files
- Previous by thread: Re: OK, I'm sold on SBS2003 now
- Next by thread: Re: OK, I'm sold on SBS2003 now
- Index(es):
Relevant Pages
|
Loading
