SBS 2003 in DMZ. Browsing shared folders

Hello,

I have Windows Small Business Server 2003 standard in DMZ. This is PDC,
Exchange and Web server.

I have 3 print servers also in DMZ in the same subnetwork with SBS.

From my private network I can connect to the server and browse its shared
folders but I can not browe for shared folders on other computers in the
network. All computers are members of the windows domain network.

What sould I look at?

Any help would be thankful.

Igor.

(E-Mail Removed) wrote:
> Hello,
>
> I have Windows Small Business Server 2003 standard in DMZ. This is
> PDC, Exchange and Web server.
>
> I have 3 print servers also in DMZ in the same subnetwork with SBS.
>
> From my private network I can connect to the server and browse its
> shared folders but I can not browe for shared folders on other
> computers in the network. All computers are members of the windows
> domain network.
>
> What sould I look at?

Well, this is a NetBIOS/browsing issue, related to the ports you have open,
but more importantly, why is an Exchange Server/DC in general in your DMZ
(I'm presuming this is a DMZ between your network & the Internet? In order
to allow this server to communicate with the rest of your network you have
to open up so many ports between DMZ and LAN that you turn any firewall into
a screen door....

Post back with more info about what ports are open where....but I strongly
suggest you rethink this approach. What's the purpose of putting it there?


>
> Any help would be thankful.
>
> Igor.

"Lanwench [MVP - Exchange]"
<(E-Mail Removed) ahoo.com> wrote in message
news:(E-Mail Removed)...
> (E-Mail Removed) wrote:
>
> Well, this is a NetBIOS/browsing issue, related to the ports you have
> open,
> but more importantly, why is an Exchange Server/DC in general in your DMZ
> (I'm presuming this is a DMZ between your network & the Internet? In order
> to allow this server to communicate with the rest of your network you have
> to open up so many ports between DMZ and LAN that you turn any firewall
> into
> a screen door....
>
> Post back with more info about what ports are open where....but I strongly
> suggest you rethink this approach. What's the purpose of putting it there?

Everything is opened between DMZ and local network.
May be I don't know something important but I don't see a threat from DMZ to
local network.
I opened only certain ports for the external network in DMZ.

The reason I put SBS in DMZ that I will have couple more servers dedicated
to provide some web services as well as SBS provides some web services. They
will use some of the resources of SBS also.

As I understand SBS is designed "all in one box" and we need most of its
functions.

I am a newbie in network security area so I appreciate you correct me.

Sincerely,

Igor.

You can read a bit here

http://www.secinf.net/uplarticle/winsec/250_DMZ_02.pdf
Windows 2000 DMZ design

The machines on the DMZ may be compromised, but that is the nature of the
DMZ bastion host. That's why putting any DC into DMZ is a very bad idea
(front-end/back-end Exchange topology isn't secure by default as well, but
Paula can correct me on this issue). Using SBS Standard as DMZ host is
probably the worst imaginable scenario.

(E-Mail Removed) wrote:
> "Lanwench [MVP - Exchange]"
> <(E-Mail Removed) ahoo.com> wrote in
> message news:(E-Mail Removed)...
>> (E-Mail Removed) wrote:
>>
>> Well, this is a NetBIOS/browsing issue, related to the ports you have
>> open,
>> but more importantly, why is an Exchange Server/DC in general in
>> your DMZ (I'm presuming this is a DMZ between your network & the
>> Internet? In order to allow this server to communicate with the rest
>> of your network you have to open up so many ports between DMZ and
>> LAN that you turn any firewall into
>> a screen door....
>>
>> Post back with more info about what ports are open where....but I
>> strongly suggest you rethink this approach. What's the purpose of
>> putting it there?
>
> Everything is opened between DMZ and local network.

Then you no longer have a DMZ....


> May be I don't know something important but I don't see a threat from
> DMZ to local network.

What's open from Internet to DMZ?

> I opened only certain ports for the external network in DMZ.
>
> The reason I put SBS in DMZ that I will have couple more servers
> dedicated to provide some web services as well as SBS provides some
> web services. They will use some of the resources of SBS also.

Put dedicated webservers in the DMZ. Leave domain controllers & Exchange
inside your LAN. Ideally, don't allow any potentially dangerous ports to be
opened from WAN to DMZ, or WAN to LAN, or DMZ to LAN.
>
> As I understand SBS is designed "all in one box" and we need most of
> its functions.

Yes, but I also don't recommend using it to host public websites. Hosting
accounts are cheap enough and I'd rather outsource this than put it on a
DC/Exchange/IIS box or put a dedicated webserver in the DMZ.
>
> I am a newbie in network security area so I appreciate you correct me.

There are as many opinions on this as there are people. I'm just giving you
what I think the best setup is.
>
> Sincerely,
>
> Igor.

<(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Everything is opened between DMZ and local network.
> May be I don't know something important but I don't see a threat from DMZ
to
> local network.
> I opened only certain ports for the external network in DMZ.

It doesn't matter how many ports you "open" it still isn't going to work,
you still have NAT to deal with. "Closed ports" are *not* what ultimately
separates the two segments,...it is NAT that separates the segments, the
"closed ports" only complement the restrictions created by NAT.

You need to rethink your needs and requirements and separate your "have
to's" from your "want to's". What you are wanting to do is totally the
wrong approach.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Phillip Windell" <@.> wrote in message
news:%(E-Mail Removed)...
> <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Everything is opened between DMZ and local network.
>
> It doesn't matter how many ports you "open" it still isn't going to work,
> you still have NAT to deal with. "Closed ports" are *not* what ultimately
> separates the two segments,...it is NAT that separates the segments, the
> "closed ports" only complement the restrictions created by NAT.

Certainly I have NAT. I just don't know how I can deal with it.

>
> You need to rethink your needs and requirements and separate your "have
> to's" from your "want to's". What you are wanting to do is totally the
> wrong approach.

That's what I am doing here.

Thank you.

Igor.

Thank you very much for your comments.

Between Internet and DMZ opened https (443), pop3 (110), smtp(25),
pptp(1723), ftp(21), 9100, 135, 8088. Last three not for SBS.

So looks like better to move SBS into internal network and open all ports
for it.

Igor.

"Lanwench [MVP - Exchange]"
<(E-Mail Removed) ahoo.com> wrote in message
news:(E-Mail Removed)...
> (E-Mail Removed) wrote:
>> "Lanwench [MVP - Exchange]"
>> <(E-Mail Removed) ahoo.com> wrote in
>> message news:(E-Mail Removed)...
>>> (E-Mail Removed) wrote:
>>>
>>> Well, this is a NetBIOS/browsing issue, related to the ports you have
>>> open,
>>> but more importantly, why is an Exchange Server/DC in general in
>>> your DMZ (I'm presuming this is a DMZ between your network & the
>>> Internet? In order to allow this server to communicate with the rest
>>> of your network you have to open up so many ports between DMZ and
>>> LAN that you turn any firewall into
>>> a screen door....
>>>
>>> Post back with more info about what ports are open where....but I
>>> strongly suggest you rethink this approach. What's the purpose of
>>> putting it there?
>>
>> Everything is opened between DMZ and local network.
>
> Then you no longer have a DMZ....
>
>
>> May be I don't know something important but I don't see a threat from
>> DMZ to local network.
>
> What's open from Internet to DMZ?
>
>> I opened only certain ports for the external network in DMZ.
>>
>> The reason I put SBS in DMZ that I will have couple more servers
>> dedicated to provide some web services as well as SBS provides some
>> web services. They will use some of the resources of SBS also.
>
> Put dedicated webservers in the DMZ. Leave domain controllers & Exchange
> inside your LAN. Ideally, don't allow any potentially dangerous ports to
> be
> opened from WAN to DMZ, or WAN to LAN, or DMZ to LAN.
>>
>> As I understand SBS is designed "all in one box" and we need most of
>> its functions.
>
> Yes, but I also don't recommend using it to host public websites. Hosting
> accounts are cheap enough and I'd rather outsource this than put it on a
> DC/Exchange/IIS box or put a dedicated webserver in the DMZ.
>>
>> I am a newbie in network security area so I appreciate you correct me.
>
> There are as many opinions on this as there are people. I'm just giving
> you
> what I think the best setup is.
>>
>> Sincerely,
>>
>> Igor.
>
>

Jetro,

Thanks a lot for the link. It's a very informative article.

But I have only 5 users including myself and in a while I will have some
servers I need to put online to deliver our internet products.
I will need to share some information from SBS with those servers ( for e.g.
contact list)

So SBS is only for 5 users. I need email, internal ftp, web access, I think
it's not a good idea to have separated pdc, bdc, exchange, sharepoint, sql
servers for administrative tasks for I even don't want BDC for that.

You are the third who tells me to put PDC in DMZ it's a bad idea. I guess I
would have the same issue even worse if I have SBS as the only server in my
company. By design I don't need a firewall or a router. Although if it has
two network interfaces (external and internal) in this case seems that our
network is more secure.

Sincrely,

Igor.

"Jetro" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> You can read a bit here
>
> http://www.secinf.net/uplarticle/winsec/250_DMZ_02.pdf
> Windows 2000 DMZ design
>
> The machines on the DMZ may be compromised, but that is the nature of the
> DMZ bastion host. That's why putting any DC into DMZ is a very bad idea
> (front-end/back-end Exchange topology isn't secure by default as well, but
> Paula can correct me on this issue). Using SBS Standard as DMZ host is
> probably the worst imaginable scenario.
>
>

(E-Mail Removed) wrote:
> Jetro,
>
> Thanks a lot for the link. It's a very informative article.
>
> But I have only 5 users including myself and in a while I will have
> some servers I need to put online to deliver our internet products.
> I will need to share some information from SBS with those servers (
> for e.g. contact list)

I'd be very careful with that. Public webservers should be isolated. What
kind of information do they need?
>
> So SBS is only for 5 users. I need email, internal ftp, web access, I
> think it's not a good idea to have separated pdc, bdc, exchange,
> sharepoint, sql servers for administrative tasks for I even don't
> want BDC for that.

It's never a bad idea to have an additional DC if you can - but it isn't
mandatory.
>
> You are the third who tells me to put PDC in DMZ it's a bad idea. I
> guess I would have the same issue even worse if I have SBS as the
> only server in my company. By design I don't need a firewall or a
> router. Although if it has two network interfaces (external and
> internal) in this case seems that our network is more secure.

A firewall of some sort is mandatory...it isn't a panacea, and it isn't
going to protect you from everything, but a properly patched server behind a
properly configured firewall protecting it from the Internet is not a big
deal to admin & maintain.
>
> Sincrely,
>
> Igor.
>
> "Jetro" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> You can read a bit here
>>
>> http://www.secinf.net/uplarticle/winsec/250_DMZ_02.pdf
>> Windows 2000 DMZ design
>>
>> The machines on the DMZ may be compromised, but that is the nature
>> of the DMZ bastion host. That's why putting any DC into DMZ is a
>> very bad idea (front-end/back-end Exchange topology isn't secure by
>> default as well, but Paula can correct me on this issue). Using SBS
>> Standard as DMZ host is probably the worst imaginable scenario.