Clicky

Hi:
Can someone tell me what ports are needed for a Windows member server that's in a DMZ to authenticate back to the DC's in the protected LAN?
Specifically, I have an FTP server, DNS Server, and an Exchange (2003) Front end/OWA server in the DMZ

Thanks,
Tony

asked 11/21/2011 02:56

ElmsAdmin's gravatar image

ElmsAdmin ♦♦


14 Answers:
Use port query tool

http://www.microsoft.com/download/en/details.aspx?id=24009

this will give you complete detail.
link

answered

amitkulshrestha's gravatar image

amitkulshrestha

Here what you need for exchange:
http://www.windowsitpro.com/article/configuration/exchange-in-the-dmz
FTP uses ports 21 and 22.
DNS uses port 53

To add a DMZ machine to a domain on the protected side of the firewall, the same ports here are required: http://www.pberblog.com/post/2009/11/07/Creating-a-2003-AD-domain-trust-through-a-firewall.aspx
See this for general port requirements.:  http://support.microsoft.com/kb/832017
link

answered 2011-11-21 at 11:07:47

Pber's gravatar image

Pber

A simple answer to the original question,....."Everything that is important,...everything that a hacker would ever want",...so basically you end up nullifying the DMZ and there is no longer any point in it being there,...it effectively just become another equal LAN Segment to the original LAN segment.
link

answered 2011-11-24 at 07:06:28

pwindell's gravatar image

pwindell

I'm not saying it's secure or the best design.  Definetely opens you up to a huge attack surface.

We use DMZs in a protected isolated core with no connection to the outside world at all.  The DMZs are used for equipment isolation due to B.S. regulatory compliance reasons.  Not really worried about external hackers in my scenario.
link

answered 2011-11-29 at 07:32:23

Pber's gravatar image

Pber

I understand.

Well I'm in the context of a common Internet DMZ, not a core DMZ, and not something like a military base or the CIA.   It is just a generic discussion to me,...I'm not going after anyone.  But it is the belief of a  "huge attack surface" that I have never agreeded with,..."attack surface" yes, there is always one, can never be gotten rid of,....how huge it is, is the real question to me.  Also along the same lines,...what is the real difference in attack surface "size" between having a DMZ and not having the DMZ?  If you have to allow AD communication between the target servers in the DMZ and the domain controllers, then there really isn't that much difference in moving the target servers into the LAN. In either case "hacking" into one of the target servers does not mean you can get to the DC nor does it mean you can't get to the DC however either way the DMZ really doesn't matter because if they could get to the DC,...then they can still get to the DC.

Bottom line for me is that the DMZ Religion has the idea that having a DMZ makes you secure and not having one automatically means you are "wide open", and that's what I disagree with and thing that people need to think beyond that.  It is the same mentality that says, "I have a hardware firewall,...therefore I am secure".

Anyway I have ran without a "DMZ" for over a decade,...and being a mainstream media outlet,..we are a target to some degree,...and there has never been a problem.  The risks I do fight with come in over the normal things that I must allow and if there was a DMZ I would simply have to allow them through that as well, so nothing gained by the DMZ.

A few years back at MS HQ in Redmond I watched a live hacking demonstration by Jesper Johansson where he gained the Domain Administrator's credentials and then changed the Administrators password to something that only he would know what it was.  I can tell you with absolute certainty that a DMZ would not have made a spit full of difference whether it existed or not,...the DMZ was just simply an irrelevancy.  

Quite often the DMZ gets in the way of the Admin more often then it gets in the way of any hacking attempt,...it's like giving someone a gun for protection and they shoot their own foot off with it.
link

answered 2011-11-29 at 11:59:05

pwindell's gravatar image

pwindell

I think I'm just bored today and needed someone to talk to,...so I picked you  :-)
link

answered 2011-11-29 at 12:50:19

pwindell's gravatar image

pwindell

Hehehe, pick away.  I agree totally.

I've seen a few hacking demos myself, and just as you concluded.  The firewall/DMZ was of little relevence..  Makes you wonder what you don't see even when you are looking.
link

answered 2011-11-29 at 13:08:15

Pber's gravatar image

Pber

Makes you wonder what you don't see even when you are looking.

Yes.  That's why I am skeptical of the usefulness of any of the IDS products.  If something "looks" like an intrusion attempt (hence detected by the IDS),...then it is by definition a failure and there wasn't any point in the IDS system telling you about a failed blocked attempt that never got through anyway.  But if it was successful then it would have looked like normal traffic and would not have been stopped by anything.  Like I always say,...a hacker is going to use what you allow,...not what you don't allow,...and the IDS system would not flagged it or given any alerts,...so what good was the IDS to begin with?    I have yet to see an IDS system say, "whoops! that one got by me and stole your information!"
link

answered 2011-11-30 at 06:47:41

pwindell's gravatar image

pwindell

(:

We even have boutique IDS appliances that are very specialized/customized for our environment with dedicated staff to monitor them.  I think it is better than the off the shelf ones, but I still don't have 100% confidence in them.
link

answered 2011-11-30 at 07:03:47

Pber's gravatar image

Pber

OK, so back to the original question:
What's been confusing about researching this is the wide range of info that's out there.
The link on your blog, pber, doesn't indicate ports 123 for NTP, 135 for RPC, the RPC random ports, and 3268 for GC.
See this link: http://social.technet.microsoft.com/Forums/en/winserversetup/thread/2f8f691a-0017-43c5-addc-672bb7f9a7b0

Thoughts?

Thanks.
link

answered 2011-11-30 at 07:11:45

ElmsAdmin's gravatar image

ElmsAdmin

I think you're starting the make my point.  The vast amount of traffic types you have to allow between the DMZ and the LAN pretty much nullify the DMZ and make it effectively "just another subnet" on the over-all network.
link

answered 2011-11-30 at 09:06:12

pwindell's gravatar image

pwindell

It looks like your making a Forest Trust, which requires more ports than an external trust.

As pwindell as indicated, this is not a secure or recommended method what would seem to be FTP/OWA to external users.  You would be better off publishing through an SSL gateway such as Microsoft TMG or Cisco Ironport.

If you really want the forest trust ports you would end up opening 53,88,135,464,389,445,636,3268, and 49152-65535 from your DMZ to your protected LAN.  The ports going in the other direction are almost as large.  Not good.  This may be the cheap way to go, but it will cost you a lot more when your protected LAN get hacked.

link

answered 2011-11-30 at 09:08:57

Pber's gravatar image

Pber

OWA is always better on the regular LAN and then "publish" it with ISA or TMG which will both honor and bridge the SSL  and also pre-authenticate the user before letting the auth attempts hit the OWA/Exchange itself (that's more than a simple reverse-NAT).   MS's UAG which is a type of SSL-VPN solution is also a good approach that let's you "publish" Applications from the main LAN rather than publishing machines,...similar to the Citrix solutions,...it basically brings the Application to the user rather than bringing the user to the machine.
link

answered 2011-11-30 at 09:52:32

pwindell's gravatar image

pwindell

Ah, OK. TMG. That sounds like a good answer. Thanks.
link

answered 2011-11-30 at 10:00:00

ElmsAdmin's gravatar image

ElmsAdmin

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

Asked: 11/21/2011 02:56

Seen: 168 times

Last updated: 11/30/2011 05:01