Letters to Redmond

Readers Respond October 2005

New-found respect, the possibility of buying a Mac and a DMZ question for Security Advisor columnist Joern Wettern.

• 10/01/2005

A Brave New World: Why I'm Going to Buy a Mac
I read Doug Barney's editorial ["Why I Bought a Mac," August 2005] with a little amusement recently because each year, North Carolina has a back-to-school moratorium on sales tax (7 percent), which applies to computer purchases. At the biggest mall in the Research Triangle Park (RTP) area during this time, there was a line of about 300 people outside the Apple store. The Dell store had no line.

I recently shot some video of a sailboat race and was planning to edit it on my Dell home computer system. One of the crew on my boat approached me after the race and asked how I was going to edit the video. When I responded with "Dell PC" he looked at me squarely and said, "Don't waste your time. Plug your camcorder into an Apple iMac and you'll be done in no time." Weeks later, my video still isn't edited. So the effective work output in this case for my Wintel system to date is zero, which means my return on investment to date is zero, no matter what the investment was.

Therefore, I, too, am contemplating buying an Apple computer soon. It could be the start of a whole new world of computing relaxation.
Paul Triulzi
RTP/Durham, N.C.

No Silver Bullet
I liked Joern Wettern's article "Dump your DMZ" [July 2005]—good ideas, even if there wasn't a "silver bullet" solution at the end.

We make use of a dual-firewall DMZ here in an extranet between my company and my partner company that's fairly secure and works well.

I have one question: Let's say I needed to connect users in an isolated DMZ to a greater Windows domain. Wettern stated that a large number of ports need to be opened up between the domain controller and the workstation in the DMZ for domain authentication to work. What are the minimum ports I need to open in order to get these guys to log in, authenticate and process GPOs?
I've read the "Port Requirements for the Microsoft Windows Server
System" and the "How to Configure a Firewall for Domains and Trusts" documents put out by Microsoft. In the latter document it shows the following ports:

• tcp/389 & udp/389 LDAP
• tcp/636 LDAP SSL
• tcp/3268 LDAP GC
• tcp/3269 LDAP GC SSL
• tcp/53 & udp/53 DNS
• tcp/88 & udp/88 Kerberos
• tcp/445 SMB

It says these are for Windows 2000. Is it the same for a Windows 2003 DC?
Greg Shields
Aurora, Co.

Wettern responds: I have good news and bad news. The good news is that none of the changes between Windows 2000 and Windows Server 2003 should impact the ports that are affected. The bad news is that controlling domain traffic by using packet filters can get rather tricky, in either version of the OS.

The biggest challenge is that some domain traffic uses RPC, which uses port 135 for the initial connection, but then uses an unpredictable high port for a second connection. Most likely you won't be affected by this, as RPC is primarily used for replication of some Group policy elements between domain controllers, but your client-to-DC traffic will most likely not be affected.

As you're setting this up, look at which ports are labeled "GC." Clients connect to Global Catalog servers. Those without "GC" are used to communicate with other DCs. Also, don't forget to allow communications using TCP and UDP ports 53 to your DNS servers.

If your tests show that communications are not successful, use network monitoring to pinpoint which connection attempts fail. Finally, I recommend you use IPsec to authenticate and control network traffic between DCs and domain members. Doing so should give you a higher level of security than packet filtering. However, it's also more complex to implement.