Re: Use of L2TP in isolated W2K3 AD

From: Joshua Feek (jfeek_at_yahoo.com.au)
Date: 06/09/04

  • Next message: Fabrice Aubry: "RE: Use of L2TP in isolated W2K3 AD"
    Date: Wed, 9 Jun 2004 12:26:32 +0100 (BST)
    To: Milos Puchta <puchta@cslab.felk.cvut.cz>, focus-ms@securityfocus.com
    
    

    It might be difficult to strategise all the
    configurations but start with using IPSEC. All domain
    members get a GPO config which forces down a machine
    cert. Use IPSEC rules to filter traffic to only
    machine cert based authentication. All other non cert
    based traffic is denied. How complex your environment
    is will determine how much effort is required but
    there is nothing to stop you enabling IPSEC based
    connectivity between all domain members via GPO
    therefore stopping all traffic from non domain members
    from reaching any domain member. Just a starting point
    to use the technology you alrady have and is freely
    available with what you own

    Josh

     --- Milos Puchta <puchta@cslab.felk.cvut.cz> wrote: >
    1.
    > Imagine a large network that is more or less opened
    > to the Internet.
    > I mean that there is packet filtering for some
    > ports, one subnet
    > is blocked from the access from the Internet but due
    > to the routing
    > between subnets all subnets are opened....
    >
    > 2.
    > I can do nothing as to the changes in the structure
    > of LAN :-(((
    > except asking for blocking direct access to the
    > selected computers.
    > (No private LAN for private range of ip, no
    > blocking routing,... :-(( ...)
    >
    > 3.
    > There are various services and operating system on
    > the LAN,
    > including Windows, FreeBSD, Novell, SUN,VMS etc
    >
    > 4.
    > I "develop" and maintain Active Directory (Windows
    > 2003 Server and Windows
    > XP Professional) in this structure. Windows XP
    > clients should reach
    > data on various system (data and licenses on license
    > servers).
    >
    > Because of security problems I consider the
    > isolation of domain controllers
    > behind
    > internal ISA firewall and Windows clients would use
    > L2TP protocol, as if
    > they were
    > accessing domain controllers and file servers from
    > the Internet.
    > Is this solution in my case?
    >
    > Thanks for your opinion and qualified guess.
    >
    > Regards,
    > Milos
    >
    >
    >
    ---------------------------------------------------------------------------
    >
    ---------------------------------------------------------------------------
    >

            
            
                    
    ____________________________________________________________
    Yahoo! Messenger - Communicate instantly..."Ping"
    your friends today! Download Messenger Now
    http://uk.messenger.yahoo.com/download/index.html

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Fabrice Aubry: "RE: Use of L2TP in isolated W2K3 AD"

    Relevant Pages

    • RE: W2K Professional Install with original CD (pre-service packs)...a
      ... install up, then when I rebooted it was time for the critical patch to .NET ... only valid club members can have that. ... old thing was this Windows 2000 Professional CD that never existed before the ... svchost.exe trying to access the Internet. ...
      (microsoft.public.win2000.setup)
    • Re: Distribution list update
      ... OL2000 is on Windows XP. ... >>> members, just not the members of the distribution lists. ... >>> different client ...
      (microsoft.public.exchange.clients)
    • Re: Creating a C++ like message loop in .NET threaded classes.
      ... Just grab your good ol' C++ message loop knowledge and write the same code in .NET, calling API functions such as GetMessage and DispatchMessage through P/Invoke. ... control over Windows message processing (or maybe it's in the .NET and I ... Now I don't necessarily want the code of these members ... the object processes the message when its thread is ...
      (microsoft.public.dotnet.framework)
    • Re: Secure Server & Services
      ... > careful consideration of what traffic you want to use IPSec for. ... > only by domain members. ... It won't be long before your network gets the next Blaster, ... Being a BOFH I want to enforce company policy and ...
      (microsoft.public.windows.server.security)
    • Re: users last-logon-timestamp
      ... Otherwise memberOf will only match the direct members. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... Also, lastLogonTimestamp is a "normal" date time, so you don't need to ... we are at windows 2000 native mode with mixed Windows ...
      (microsoft.public.windows.server.active_directory)