Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

[unixODBC][Driver Manager]Driver's SQLAllocHandle on SQL_HANDLE_DBC failed, sed: -e expression #1, char 1: unterminated address regex, procmail + change subject, w2ksp4.exe download, /proc/kallsyms format, sqldatasource dal, wwwxxxenden, convert raid5 to raid 10 mdadm, apache force chunked, nrao wwwxxx

Links

XODOX
Impressum

#1: Should I allow MSDTC in my DMZ?

Posted on 2008-04-10 15:30:16 by bryars

I've got a fairly typical dmz setup as below:

Internet
(External) Watchguard Firewall (80 and 443 open)
MS Windows 2003 Web Servers (in a workgroup)
(Internal) MS ISA Firewall (80, 443 and 1433 open)
MS Windows 2003 Db Servers

We now have a requirement to use MSDTC on the web servers and blow the
following holes in our internal firewall:

Open 135 RPC EPM (end point mapper)
Open 1433 TDS SQL traffic when using TCP/IP
Open 1434 SQL 2000 Integrated Security
Open 5100-5200 MSDTC [Dynamically assigned a port by the EPM]

I'm worried that these extra ports will be a security risk so my
question is not how to do this, rather should I do this? Obviously
there's always a risk opening extra ports, but is it common/normal to
run MSDTC in the DMZ? Should I ask the developers to adopt a different
solution?

Regards,

Daniel

Report this message

#2: Re: Should I allow MSDTC in my DMZ?

Posted on 2008-04-10 16:22:56 by Sebastian Gottschalk

bryars@hotmail.com wrote:

> I've got a fairly typical dmz setup as below:
>
> Internet
> (External) Watchguard Firewall (80 and 443 open)
> MS Windows 2003 Web Servers (in a workgroup)
> (Internal) MS ISA Firewall (80, 443 and 1433 open)
> MS Windows 2003 Db Servers
>
> We now have a requirement to use MSDTC on the web servers and blow the
> following holes in our internal firewall:
>
> Open 135 RPC EPM (end point mapper)
> Open 1433 TDS SQL traffic when using TCP/IP
> Open 1434 SQL 2000 Integrated Security
> Open 5100-5200 MSDTC [Dynamically assigned a port by the EPM]
>
> I'm worried that these extra ports will be a security risk so my
> question is not how to do this, rather should I do this?


Unless you need them: obviously not.

> Should I ask the developers to adopt a different solution?


As long as everything is properly authenticated, neither DCE-RPC nor MSDTC
nor SQL-over-SSLed-TCP are problematic.

Report this message