1. The least you need is TCP 139, used to establish a session between
trusting DCs to channel pass-through authentication requests. It is also
used for trusting DCs to exchange updated passwords which control the
trust itself (every 7 days typically).
2. http://www.microsoft.com/kb/articles/q128/4/89.htm talks about how
password changes happen for trust relationships, and
http://www.microsoft.com/kb/articles/q152/7/19.htm talks about the
characteristics of trust traffic in a wan environment.
3. To the best of my knowledge there aren't any NetBIOS proxies yet. I
would simply answer your question with a NO. Besides, its not really a
proxy you want here, you really need to establish an encrypted tunnel to
put your NetBIOS traffic through to prevent a variety of MITM attacks
across the untrusted network. My suggestion would be to use PPTP in a
site to site configuration, thereby expecting you to open TCP1723
between the sites (this assumes NT 4.0). PPTP allows you to encrypt the
connection, and your Firewall should allow you to prevent any other
machines from connecting at either end.
There are a number of things that can go wrong with a trust relationship
like this, so you will need to do some profiling to determine the
optimum configuration settings to keep the trust up.
R.C. Consulting, Inc. - NT/Internet Security
NTBugTraq: Send SUBSCRIBE NTBUGTRAQ Your Name to LISTSERV @