Should I allow MSDTC in my DMZ?

Should I allow MSDTC in my DMZ?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Should I allow MSDTC in my DMZ? bryars 04-10-2008
Posted by on April 10, 2008, 9:30 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I've got a fairly typical dmz setup as below:

Internet
(External) Watchguard Firewall (80 and 443 open)
MS Windows 2003 Web Servers (in a workgroup)
(Internal) MS ISA Firewall (80, 443 and 1433 open)
MS Windows 2003 Db Servers

We now have a requirement to use MSDTC on the web servers and blow the
following holes in our internal firewall:

Open 135 RPC EPM (end point mapper)
Open 1433 TDS SQL traffic when using TCP/IP
Open 1434 SQL 2000 Integrated Security
Open 5100-5200 MSDTC [Dynamically assigned a port by the EPM]

I'm worried that these extra ports will be a security risk so my
question is not how to do this, rather should I do this? Obviously
there's always a risk opening extra ports, but is it common/normal to
run MSDTC in the DMZ? Should I ask the developers to adopt a different
solution?

Regards,

Daniel





Posted by Sebastian G. on April 10, 2008, 10:22 am
If you were  Registered and logged in, you could reply and use other advanced thread options
bryars@hotmail.com wrote:

> I've got a fairly typical dmz setup as below:
>
> Internet
> (External) Watchguard Firewall (80 and 443 open)
> MS Windows 2003 Web Servers (in a workgroup)
> (Internal) MS ISA Firewall (80, 443 and 1433 open)
> MS Windows 2003 Db Servers
>
> We now have a requirement to use MSDTC on the web servers and blow the
> following holes in our internal firewall:
>
> Open 135 RPC EPM (end point mapper)
> Open 1433 TDS SQL traffic when using TCP/IP
> Open 1434 SQL 2000 Integrated Security
> Open 5100-5200 MSDTC [Dynamically assigned a port by the EPM]
>
> I'm worried that these extra ports will be a security risk so my
> question is not how to do this, rather should I do this?


Unless you need them: obviously not.

> Should I ask the developers to adopt a different solution?


As long as everything is properly authenticated, neither DCE-RPC nor MSDTC
nor SQL-over-SSLed-TCP are problematic.


The site map in XML format XML site map

Contact Us | Privacy Policy