Posts: 144
Joined: 18.Nov.2004
From: Netherlands, The
Status: offline
Hi Tom,
This is a very good article. I was also very surprised (and a bit disappointed) of Steve's argument. I thought that we finally left the basics of a resource domain in Windows NT 4.0 with Proxy Server 2.0. I always say ISA Server should be a member of the domain to have full function. But you do have to harden your ISA Server to take percuasion. On this moment I even use a third-party front-end firewall, I trust ISA do, but to be sure.
I thereby hope Microsoft will comment on this article...
Boudewijn
< Message edited by wbplomp -- 21.Jun.2006 9:40:01 AM >
Hi Tom. I agree with the article and have had my ISA firewall a domain member since ISA 2000. I need the granular access control for both inbound and outbound traffic and having ISA in the domain makes that possible. Also I enjoyed your talk at Tech Ed.
How about one-way trusts? Would'nt that work well, but still avoiding full domain membership for the ISA machine?
Hi Drixie,
Read the article! One-way trusts are a psychiatric salve! They problem no real security and only add complexity, while reducing your overall security posture.
This is a very good article. I was also very surprised (and a bit disappointed) of Steve's argument. I thought that we finally left the basics of a resource domain in Windows NT 4.0 with Proxy Server 2.0. I always say ISA Server should be a member of the domain to have full function. But you do have to harden your ISA Server to take percuasion. On this moment I even use a third-party front-end firewall, I trust ISA do, but to be sure.
I thereby hope Microsoft will comment on this article...
Boudewijn
Hi Boudewijn,
I'll even argue that you don't need to "harden" the ISA firewall other than configuring a secure firewall policy and running the Security Configuration Wizard. And I never put a "hardware" firewall in front of the ISA firewall unless it's convenient or the customer is hymotized by the hardware firewall vendor and can't get out of his trance. Remember, the ISA firewall is more secure than the "hardware" firewall, which really doesn't provide much if any security to you applications.
You're absolutely right that the ISA firewall should in most cases be a domain member and that it's a shared delusion by most folks that there is a security issue with domain membership. Indeed there is a security issue -- not joining the ISA firewall to the domain weakens the ISA firewall to the extent that it becomes as useless as a "hardware" firewall!
Hi Tom. I agree with the article and have had my ISA firewall a domain member since ISA 2000. I need the granular access control for both inbound and outbound traffic and having ISA in the domain makes that possible. Also I enjoyed your talk at Tech Ed.
Hi Ammm, Thanks for the kind words about my talk :) You get it! That's great!
OK, OK, almost converted... we've been having issues with FW client authentication, could it be because our ISA is in a one-way trust relationship with the main domain? Also, if we're planning to use Radius OTP authentication, wouldn't a one-way trust be "enough"? Why would we need client certificates?
PS: Many thanks for the site and the book - it has saved us a lot of work!
For RADIUS OTP, you don't even need a trust relationship or a domain, as certificates aren't even required. But RADIUS OTP is limited to Web Publishing only.
Thanks for the kind words about the site and the books!
They usually blanch or drag their withering carcasses away mumbling something about "but it runs on Windows, but it runs..on..Windows.....but......it........runs...........on..............Windows........but....... .........but............but.......................................but................................
Posts: 2
Joined: 7.Apr.2006
From: Seattle, WA, USA
Status: offline
Friends! Either I misstated my point at TechEd (more likely) or Tom misunderstood (less likely), but that doesn't really matter. Fact is, Tom and I are in violent agreement about domain membership; I'm simply approaching a particular intractable problem from my experience dealing with certain customers. There's no debate here, because Tom is correct: domain membership is better.