[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] DMZ W2K dom
Hi, I am evaluating to implement a new W2K domain for DMZ machines, and need some advice. There are some reasons/issues including advantages and disadvantages: * There are more than hundred of machines located within the DMZs. * There is a need for proper update mechanism of servicepacks and fixes. * Users are locally managed/administered within these machines, thefore one needs to properly secure these user-names and passwords for hundreds of machines. (and enforce some security settings) * For DMZ, u need to manually manage users. * One can not know that if the application programmer or developer is using his user-id to logon or running the applications. * There are no profiles within the systems. * Different developers or application managers can not be grouped. * Sec. Administrators or security operators can make mistakes for individually managing the PCs. * Centrally logging/reporting/alarming. * Some deliberate or urgent actions can?t be taken within the individual macs. -- There?s a security risk associated with W2K domain installation. Hence, there?s no trust of this DMZdomain with any other domain. -- If the W2K domain is comprimised there?s a big big risk.. -- Related ports need to be opened within the DMZs. -- To decrease the security, u can put the ADS DCs within the DMZs. However, by placing DCs to DMZ, servers located with the DMZ of other firewalls may have access problems. -- Extra HW/SW investment including redundant/backup DCs. -- Some applications security need to be harvested. -- Virus/vandal risk as for the open ports. -- General security belief, ?never open the ports for smb? ===== ------------ Sick Boy __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|