[clue-tech] Best practice network design?
Chris Schock
black at clapthreetimes.com
Wed Jan 5 07:46:48 MST 2005
> We used local accounts rather than the internal domain. It was secure
> (at least compared to opening all the win ports) but added admin
> overhead. I wanted to improve it as you describe but never got to it.
Yep, we went down this road and they didn't want to deal with the overhead
of having two accounts either.
> But when I asked I was told that MS has a white paper on this. I never
> found it and our MS consultant didn't come up with anything interesting
> when asked a related question about DMZ servers, so maybe there isn't
> such a thing. But the guy who said there was seemed to know his stuff.
I haven't found any such whitepaper. The closest thing I've found is a lot
of references to the Microsoft ISA server, but this doesn't really solve
my problem - it just adds another layer in. Plus then I have to open
firewall holes for every backend system that needs to be "published".
I tried looking for clubs, users groups, etc. in the Denver area as
another person suggested. There are a lot of Windows groups, but they
mostly center on applications. There's even a user group for FoxPro. I
thought that died almost 10 years ago.
> When I've looked, there seems to be a morass of likely but inadequate
> info. But I think you're looking for something from MS Solutions for
> Management.
I'm the network guy, and this issue is really Microsoft specific. I may
end up having to turn it over to someone who is more familiar. Sounds like
a best practice will involve one way trusts between domains (or if using
2003 server, forests).
You'd be surprised (well, maybe not) at the kinds of solutions people
propose in forums. My favorite is the guy who says to just jam another NIC
into the box, and plug that into the internal network so it's got a leg on
both sides of the firewall... Voila! No firewall rules necessary at all!
:) Just putting the box inside the network is another popular one.
Thanks for all the responses, I promise I'll keep the content more Linux
specific from now on. :)
More information about the clue-tech
mailing list