[clue-tech] Best practice network design?
David Anselmi
anselmi at anselmi.us
Tue Jan 4 20:38:25 MST 2005
I was going to be sarcastic about looking for a best practice (i.e., the
thing that all the Windows admins do because they don't know how to
think for themselves (or can't figure it out anyway because the only
people who know are MS consulting)). But I see that a best practice is
exactly what you're looking for. ;-)
Chris Schock wrote:
[...]
> My problem is this: I need to have a Windows server in the DMZ
> authenticate users against the Windows Domain, but in order for this to
> work I have to open every single blessed port Windows talks on to make it
> work - making the DMZ completely useless.
We used local accounts rather than the internal domain. It was secure
(at least compared to opening all the win ports) but added admin
overhead. I wanted to improve it as you describe but never got to it.
But when I asked I was told that MS has a white paper on this. I never
found it and our MS consultant didn't come up with anything interesting
when asked a related question about DMZ servers, so maybe there isn't
such a thing. But the guy who said there was seemed to know his stuff.
When I've looked, there seems to be a morass of likely but inadequate
info. But I think you're looking for something from MS Solutions for
Management.
Dave
More information about the clue-tech
mailing list