Should I allow MSDTC in my DMZ?

I've got a fairly typical dmz setup as below:

Internet
(External) Watchguard Firewall (80 and 443 open)
MS Windows 2003 Web Servers (in a workgroup)
(Internal) MS ISA Firewall (80, 443 and 1433 open)
MS Windows 2003 Db Servers

We now have a requirement to use MSDTC on the web servers and blow the
following holes in our internal firewall:

Open 135 RPC EPM (end point mapper)
Open 1433 TDS SQL traffic when using TCP/IP
Open 1434 SQL 2000 Integrated Security
Open 5100-5200 MSDTC [Dynamically assigned a port by the EPM]

I'm worried that these extra ports will be a security risk so my
question is not how to do this, rather should I do this? Obviously
there's always a risk opening extra ports, but is it common/normal to
run MSDTC in the DMZ? Should I ask the developers to adopt a different
solution?

Regards,

Daniel

Re: Should I allow MSDTC in my DMZ?

bryars@hotmail.com wrote:

> I've got a fairly typical dmz setup as below:
>
> Internet
> (External) Watchguard Firewall (80 and 443 open)
> MS Windows 2003 Web Servers (in a workgroup)
> (Internal) MS ISA Firewall (80, 443 and 1433 open)
> MS Windows 2003 Db Servers
>
> We now have a requirement to use MSDTC on the web servers and blow the
> following holes in our internal firewall:
>
> Open 135 RPC EPM (end point mapper)
> Open 1433 TDS SQL traffic when using TCP/IP
> Open 1434 SQL 2000 Integrated Security
> Open 5100-5200 MSDTC [Dynamically assigned a port by the EPM]
>
> I'm worried that these extra ports will be a security risk so my
> question is not how to do this, rather should I do this?


Unless you need them: obviously not.

> Should I ask the developers to adopt a different solution?


As long as everything is properly authenticated, neither DCE-RPC nor MSDTC
nor SQL-over-SSLed-TCP are problematic.