bryars@hotmail.com
04-10-08, 09:30 AM
I've got a fairly typical dmz setup as below:
Internet
(External) Watchguard Firewall (80 and 443 open)
MS Windows 2003 Web Servers (in a workgroup)
(Internal) MS ISA Firewall (80, 443 and 1433 open)
MS Windows 2003 Db Servers
We now have a requirement to use MSDTC on the web servers and blow the
following holes in our internal firewall:
Open 135 RPC EPM (end point mapper)
Open 1433 TDS SQL traffic when using TCP/IP
Open 1434 SQL 2000 Integrated Security
Open 5100-5200 MSDTC [Dynamically assigned a port by the EPM]
I'm worried that these extra ports will be a security risk so my
question is not how to do this, rather should I do this? Obviously
there's always a risk opening extra ports, but is it common/normal to
run MSDTC in the DMZ? Should I ask the developers to adopt a different
solution?
Regards,
Daniel
Internet
(External) Watchguard Firewall (80 and 443 open)
MS Windows 2003 Web Servers (in a workgroup)
(Internal) MS ISA Firewall (80, 443 and 1433 open)
MS Windows 2003 Db Servers
We now have a requirement to use MSDTC on the web servers and blow the
following holes in our internal firewall:
Open 135 RPC EPM (end point mapper)
Open 1433 TDS SQL traffic when using TCP/IP
Open 1434 SQL 2000 Integrated Security
Open 5100-5200 MSDTC [Dynamically assigned a port by the EPM]
I'm worried that these extra ports will be a security risk so my
question is not how to do this, rather should I do this? Obviously
there's always a risk opening extra ports, but is it common/normal to
run MSDTC in the DMZ? Should I ask the developers to adopt a different
solution?
Regards,
Daniel