Results 1 to 2 of 2

Thread: Should I allow MSDTC in my DMZ?

  1. #1
    bryars@hotmail.com
    Guest

    Should I allow MSDTC in my DMZ?

    I've got a fairly typical dmz setup as below:

    Internet
    (External) Watchguard Firewall (80 and 443 open)
    MS Windows 2003 Web Servers (in a workgroup)
    (Internal) MS ISA Firewall (80, 443 and 1433 open)
    MS Windows 2003 Db Servers

    We now have a requirement to use MSDTC on the web servers and blow the
    following holes in our internal firewall:

    Open 135 RPC EPM (end point mapper)
    Open 1433 TDS SQL traffic when using TCP/IP
    Open 1434 SQL 2000 Integrated Security
    Open 5100-5200 MSDTC [Dynamically assigned a port by the EPM]

    I'm worried that these extra ports will be a security risk so my
    question is not how to do this, rather should I do this? Obviously
    there's always a risk opening extra ports, but is it common/normal to
    run MSDTC in the DMZ? Should I ask the developers to adopt a different
    solution?

    Regards,

    Daniel





  2. #2
    Sebastian G.
    Guest

    Re: Should I allow MSDTC in my DMZ?

    bryars@hotmail.com wrote:

    > I've got a fairly typical dmz setup as below:
    >
    > Internet
    > (External) Watchguard Firewall (80 and 443 open)
    > MS Windows 2003 Web Servers (in a workgroup)
    > (Internal) MS ISA Firewall (80, 443 and 1433 open)
    > MS Windows 2003 Db Servers
    >
    > We now have a requirement to use MSDTC on the web servers and blow the
    > following holes in our internal firewall:
    >
    > Open 135 RPC EPM (end point mapper)
    > Open 1433 TDS SQL traffic when using TCP/IP
    > Open 1434 SQL 2000 Integrated Security
    > Open 5100-5200 MSDTC [Dynamically assigned a port by the EPM]
    >
    > I'm worried that these extra ports will be a security risk so my
    > question is not how to do this, rather should I do this?



    Unless you need them: obviously not.

    > Should I ask the developers to adopt a different solution?



    As long as everything is properly authenticated, neither DCE-RPC nor MSDTC
    nor SQL-over-SSLed-TCP are problematic.

Similar Threads

  1. dmz or virtual server
    By zapp_u in forum General Broadband Forum
    Replies: 4
    Last Post: 12-08-07, 10:56 PM
  2. Access LAN from DMZ or Access DMZ from LAN
    By GeorgeGreek in forum Networking Forum
    Replies: 4
    Last Post: 04-05-07, 01:21 PM
  3. linksys WRT45G dmz + portforwarding.
    By gloomer in forum Wireless Networks & Routers
    Replies: 1
    Last Post: 01-26-07, 03:33 PM
  4. d-link di-704, dmz question
    By laniteowl in forum Wireless Networks & Routers
    Replies: 0
    Last Post: 12-29-05, 04:39 PM
  5. About DMZ
    By Rocky_Grim in forum Broadband Tweaks Help
    Replies: 0
    Last Post: 04-17-05, 10:26 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •