Exchange server in DMZ, not FE server. Is this ever ok?

Exchange server in DMZ, not FE server. Is this ever ok?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Exchange server in DMZ, not FE server. Is this ever ok? Shads79 06-10-2007
Posted by Shads79 on June 10, 2007, 11:49 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I've just started with a new company and their setup isn't like
anything I've dealt with before, and goes against what I consider best
practice. Here's how the network is laid out:

1 Exchange 2003/AD server, with Mail Marshall on the same box. Two
NICs - one for the internal network, and the other for the DMZ. The
NICs are on two different IP subnets, one for the internal network and
the other for the DMZ. There is a firewall that provides VPN access
and splits the network into the internal and DMZ segments.

Having the Exchange/AD server in the DMZ seems like madness to me, the
fact that it's on a different subnet seems almost meaningless in terms
of security. The reason it's been done like that I think is to
provide access to OWA.

Before I make any suggestions around what to do I wanted to gather
some feedback on weather this is an acceptable solution. Your
thoughts and comments are welcome...

Thanks
Wayne


Posted by Roger Abell [MVP] on June 11, 2007, 1:03 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Both email and AD are critical resources to most businesses
(that have these) and, as you indicate, should be protected.
I take it that you mean the nic "for the DMZ" is actually directly
in the DMZ (rather than being the target for what the firewall
passes from the DMZ). As you surmise, that is the same as
placing the machine in the DMZ; and, since this is a DC, that
implies that the firewall does not do very much "walling".
Go for it, show them your worth; I agree, they need change.

Roger

> I've just started with a new company and their setup isn't like
> anything I've dealt with before, and goes against what I consider best
> practice. Here's how the network is laid out:
>
> 1 Exchange 2003/AD server, with Mail Marshall on the same box. Two
> NICs - one for the internal network, and the other for the DMZ. The
> NICs are on two different IP subnets, one for the internal network and
> the other for the DMZ. There is a firewall that provides VPN access
> and splits the network into the internal and DMZ segments.
>
> Having the Exchange/AD server in the DMZ seems like madness to me, the
> fact that it's on a different subnet seems almost meaningless in terms
> of security. The reason it's been done like that I think is to
> provide access to OWA.
>
> Before I make any suggestions around what to do I wanted to gather
> some feedback on weather this is an acceptable solution. Your
> thoughts and comments are welcome...
>
> Thanks
> Wayne
>



Posted by S. Pidgorny on June 11, 2007, 6:54 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Do some threat modeling: what will happen if firewall will pass all traffic?
It will turn out that it doesn't add value in terms of security at all.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

> I've just started with a new company and their setup isn't like
> anything I've dealt with before, and goes against what I consider best
> practice. Here's how the network is laid out:
>
> 1 Exchange 2003/AD server, with Mail Marshall on the same box. Two
> NICs - one for the internal network, and the other for the DMZ. The
> NICs are on two different IP subnets, one for the internal network and
> the other for the DMZ. There is a firewall that provides VPN access
> and splits the network into the internal and DMZ segments.
>
> Having the Exchange/AD server in the DMZ seems like madness to me, the
> fact that it's on a different subnet seems almost meaningless in terms
> of security. The reason it's been done like that I think is to
> provide access to OWA.
>
> Before I make any suggestions around what to do I wanted to gather
> some feedback on weather this is an acceptable solution. Your
> thoughts and comments are welcome...
>
> Thanks
> Wayne
>



Posted by Roger Abell [MVP] on June 11, 2007, 10:13 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> Do some threat modeling: what will happen if firewall will pass all
> traffic? It will turn out that it doesn't add value in terms of security
> at all.
>

If I hear you as saying having a firewall present is without value,
then I would have to suggest that is really not so.
Under the assumptions of a completely well-configured W2k3,
and of no unpatched exploitable flaws, that is so. Those are
however large assumptions, especially considering "average"
admin skill level and time to configure and patch.
On the other hand I will admit that Windows 2k3 can be
configured to be pretty darn resistant to exposure to internet
(but this poster has DC/Exchange server - different story).

Roger

>> I've just started with a new company and their setup isn't like
>> anything I've dealt with before, and goes against what I consider best
>> practice. Here's how the network is laid out:
>>
>> 1 Exchange 2003/AD server, with Mail Marshall on the same box. Two
>> NICs - one for the internal network, and the other for the DMZ. The
>> NICs are on two different IP subnets, one for the internal network and
>> the other for the DMZ. There is a firewall that provides VPN access
>> and splits the network into the internal and DMZ segments.
>>
>> Having the Exchange/AD server in the DMZ seems like madness to me, the
>> fact that it's on a different subnet seems almost meaningless in terms
>> of security. The reason it's been done like that I think is to
>> provide access to OWA.
>>
>> Before I make any suggestions around what to do I wanted to gather
>> some feedback on weather this is an acceptable solution. Your
>> thoughts and comments are welcome...
>>
>> Thanks
>> Wayne
>>
>
>



Posted by fiftysixkilo@gmail.com on June 12, 2007, 9:18 am
If you were  Registered and logged in, you could reply and use other advanced thread options
>
> > Do some threat modeling: what will happen if firewall will pass all
> > traffic? It will turn out that it doesn't add value in terms of security
> > at all.
>
> If I hear you as saying having a firewall present is without value,
> then I would have to suggest that is really not so.
> Under the assumptions of a completely well-configured W2k3,
> and of no unpatched exploitable flaws, that is so. Those are
> however large assumptions, especially considering "average"
> admin skill level and time to configure and patch.
> On the other hand I will admit that Windows 2k3 can be
> configured to be pretty darn resistant to exposure to internet
> (but this poster has DC/Exchange server - different story).
>
> Roger
>
>
>
> >> I've just started with a new company and their setup isn't like
> >> anything I've dealt with before, and goes against what I consider best
> >> practice. Here's how the network is laid out:
>
> >> 1 Exchange 2003/AD server, with Mail Marshall on the same box. Two
> >> NICs - one for the internal network, and the other for the DMZ. The
> >> NICs are on two different IP subnets, one for the internal network and
> >> the other for the DMZ. There is a firewall that provides VPN access
> >> and splits the network into the internal and DMZ segments.
>
> >> Having the Exchange/AD server in the DMZ seems like madness to me, the
> >> fact that it's on a different subnet seems almost meaningless in terms
> >> of security. The reason it's been done like that I think is to
> >> provide access to OWA.
>
> >> Before I make any suggestions around what to do I wanted to gather
> >> some feedback on weather this is an acceptable solution. Your
> >> thoughts and comments are welcome...
>
> >> Thanks
> >> Wayne- Hide quoted text -
>
> - Show quoted text -

I am pretty sure that AD is not made to be exposed to the internet.
There are too many ways to DOS (account lockout being a fun one) if
you freely allow outside access to your AD.


Similar ThreadsPosted
antigen 9.0 for exchange server June 24, 2007, 9:54 am
IPSec on multihomed Exchange Server March 20, 2007, 7:34 pm
Exchange server not reachable via VPN after migrating accounts December 22, 2006, 3:48 am
Microsoft Forefront Security for Exchange Server February 27, 2007, 1:29 pm
Unable to request Server Authen. Certificate from CA for secondary IAS server March 7, 2007, 8:56 am
Updated critical patches and rebooted server (server did not reboo August 19, 2007, 12:32 am
how to configure Remote access server to log data to a SQL server May 31, 2006, 7:26 pm
Can not use UNC path in Windows server 2003 server 64 bit OS September 30, 2005, 4:19 pm
New to CA server service require reconfigure CA server- Please hel July 17, 2006, 12:00 am
How can you compromise a SQL Server via Front-End Server ? September 21, 2005, 11:56 am

The site map in XML format XML site map

Contact Us | Privacy Policy