Hello All,

Just wanted to run something past you all.

I am mapping the network for a new company that I am working for and have run into some things that I think are a no-no. Just want to validate my thoughts here.

1. We run our own web server and have it in a DMZ using a WatchGuard Firebox. It is part of the Optional Zone in the Firebox Configuration. During the mapping of the network I come to realize that its a NT4 Domain, with one PDC and 3 BDC's. Currently one of the BDC's is the Web Server which is in the DMZ.......I dont think this is a good idea, but wanted to see if anyone can think of any reason why we would have it there? I mean it would be bad if someone got root on it and basicly could get all the user and domain info right?? No NT authentication is used for any kind of extranet. On top of that there ar 25 critical patches that need to be applied to the server.


2. The WINS server is also in the DMZ, correct me if Im worng again, but if its in the DMZ isnt it possible to hack the system and get the entire WINS database, which would enumerate the entire network in one shot?? We do not have local DNS up yet, but that is one of my first projects. I was thinking of getting DNS up inside my Private Network, and then getting rid of the WINS server.

Just looking for other points of view for when I go to the boss and let him know we may be in a bad position.


Thanks for any feedback........