Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

WWWXXXAPC, docmd.close 2585, WWWXXXDOCO, nu vot, dhcpd lease file "binding state", WWWXXXDOCO, how to setup procmail to process html2text, how to setup procmail html2text, WWWXXXAPC., XXXCNZZZ

Links

XODOX
Impressum

#1: Should I allow MSDTC in my DMZ?

Posted on 2008-04-10 15:30:16 by bryars

I've got a fairly typical dmz setup as below:

Internet
(External) Watchguard Firewall (80 and 443 open)
MS Windows 2003 Web Servers (in a workgroup)
(Internal) MS ISA Firewall (80, 443 and 1433 open)
MS Windows 2003 Db Servers

We now have a requirement to use MSDTC on the web servers and blow the
following holes in our internal firewall:

Open 135 RPC EPM (end point mapper)
Open 1433 TDS SQL traffic when using TCP/IP
Open 1434 SQL 2000 Integrated Security
Open 5100-5200 MSDTC [Dynamically assigned a port by the EPM]

I'm worried that these extra ports will be a security risk so my
question is not how to do this, rather should I do this? Obviously
there's always a risk opening extra ports, but is it common/normal to
run MSDTC in the DMZ? Should I ask the developers to adopt a different
solution?

Regards,

Daniel

Report this message

#2: Re: Should I allow MSDTC in my DMZ?

Posted on 2008-04-10 16:22:56 by Sebastian Gottschalk

bryars@hotmail.com wrote:

> I've got a fairly typical dmz setup as below:
>
> Internet
> (External) Watchguard Firewall (80 and 443 open)
> MS Windows 2003 Web Servers (in a workgroup)
> (Internal) MS ISA Firewall (80, 443 and 1433 open)
> MS Windows 2003 Db Servers
>
> We now have a requirement to use MSDTC on the web servers and blow the
> following holes in our internal firewall:
>
> Open 135 RPC EPM (end point mapper)
> Open 1433 TDS SQL traffic when using TCP/IP
> Open 1434 SQL 2000 Integrated Security
> Open 5100-5200 MSDTC [Dynamically assigned a port by the EPM]
>
> I'm worried that these extra ports will be a security risk so my
> question is not how to do this, rather should I do this?


Unless you need them: obviously not.

> Should I ask the developers to adopt a different solution?


As long as everything is properly authenticated, neither DCE-RPC nor MSDTC
nor SQL-over-SSLed-TCP are problematic.

Report this message