While I appreciate your situation, and agree with most here that if any netblock from anywhere becomes a problem, it should be blocked entirely, I think you have some contributory issues that speak to the larger security problem most organizations face. How do "they" know how to target your domain controller? If you have that much information about your internal network leaking out of your perimeter, you have some additional securing to do of your own, or geographical location will have nothing to do with your server's eventual compromise.

Most best practices agree that MS DCs should not be visible _from_ the outside, and many agree that they should not be allowed direct access _to_ the outside. They are too critical to internal operations, and hardware is too cheap to host several mission critical functions on the same box if they require different levels of external access. Best practices recommend this separation of function to different boxen for this reason, among others. Same goes for your mail server if it is your primary internal mail server. Set up a proxy or a separate MTA for external mail receipt and transmit. You appear to be ripe for a zero-day pickoff of your entire internal network, and you told the whole world yourself right here.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/350/32354#32354