RE: AD replication - IP site to site encryption?

• Previous message: Simara: "Re: Exchange/MAPI/RPC"
• In reply to: sn0rt_y@hotmail.com: "AD replication - IP site to site encryption?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Laura A. Robinson" <larobins@bellatlantic.net>
To: <sn0rt_y@hotmail.com>, <focus-ms@securityfocus.com>
Date: Fri, 14 Mar 2003 18:01:33 -0500

RPC replication data is natively encrypted using 128-bit encryption.
Password changes are sent using LDAP over SSL. Accompanying data is not
encrypted (DNS, CIFS/SMB session setup, etc.).

Laura

> -----Original Message-----
> From: sn0rt_y@hotmail.com [mailto:sn0rt_y@hotmail.com]
> Sent: Friday, March 07, 2003 10:51 AM
> To: focus-ms@securityfocus.com
> Subject: AD replication - IP site to site encryption?
>
>
> Good day -
> There is a design being discussed of a Windows 2000 Native
> mode forest, single domain, multiple sites with one DC in
> each site. Each DC will be kept up to date on OS patches.
> Replication between DC's will be over IP without a VPN, IPSEC
> on the servers or LDAP over SSL.
>
> A question is what type, if any, encryption will be used on
> the replication traffic by default. Kerberos authentication
> will by default be used but will I be able to sniff the wire
> during replication and view say... password changes?
>
> This info will be used to present a case for using W2K IPSEC
> DC-to-DC communication, LDAP over SSL via certificates or a
> hardware VPN solution.
>
> TIA
> Sn0rt_y
>

----------------------------------------------------------------------
ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data!
It's as simple as placing additional SQL commands into a Web Form input
box giving hackers complete access to all your backend systems!
http://www.spidynamics.com/mktg/sqlinjection33

• Previous message: Simara: "Re: Exchange/MAPI/RPC"
• In reply to: sn0rt_y@hotmail.com: "AD replication - IP site to site encryption?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: is that common to use kerberos authentication for SUN iplanet LDAP server? ... What was the reason not to use SASL/GSSAPI with encryption. ... Or can SUN LDAP use other KDC as well? ... > SSL to authenticate and communicate with LDAP. ... (comp.protocols.kerberos) AD replication - IP site to site encryption? ... multiple sites with one DC in each site. ... Replication between DC's will be over IP without a VPN, ... LDAP over SSL via certificates or a hardware VPN solution. ... (Focus-Microsoft) Re: Azman Security Questions ... Kerberos-based signing and encryption of the network traffic. ... support both SSL and Kerberos encryption, ... on the DC which not everyone does whereas Kerberos encryption works as long ... You can read more about this stuff in the AD and LDAP API documentation. ... (microsoft.public.dotnet.framework.aspnet.security) 128 bit ssl connection? ... LDAP attempts to use LDAP over a 128-bit SSL ... Both client and server must support 128-bit ... encryption. ... (microsoft.public.win2000.security) Re: SSL Overhead? ... Encryption itself isn't the sole culprit of data expansion. ... behind data expansion is the web service - and not SSL. ... I don't see how your comment on security has any credence. ... (microsoft.public.dotnet.framework.compactframework)