Re: IPSEC with non-domain Server
From: Steve Clark [MSFT] (bogus_at_microsoft.com)
Date: 09/16/05
- Next message: Dmitry Tochilovsky: "S/MIME signatures for internal email only?"
- Previous message: Brian Komar [MVP]: "Re: Changing Cert template in Win2k3 Enterprise PKI CA"
- In reply to: Steven L Umbach: "Re: IPSEC with non-domain Server"
- Next in thread: Steven L Umbach: "Re: IPSEC with non-domain Server"
- Reply: Steven L Umbach: "Re: IPSEC with non-domain Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 16 Sep 2005 12:00:40 -0700
Certificates are not the "most secure", rather, they are one of the 2 "more
secure" options (I do not consider PSK as "secure" in and of thesmelves).
The question comes down to how you want to limit access. If using Kerb,
then the ability to authenticate with IKE is possible with anyone that can
get a ticket (i.e., domain members). The exception to this is when you
layer server isolation and assign specific computers to the "access this
computer from the network" right on the machine you want to limit access to.
This is all covered in the extensive guide we published early this year
entitled "Server and Domain Isolation Using IPsec and Group Policy" which
can be found at:
You must register to download the guide.
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OKnoUzjuFHA.1472@TK2MSFTNGP15.phx.gbl...
> If you are using ipsec for just "filtering" then no computer
> authentication is used anyhow. If you are using it for AH/ESP to
> authenticate computers and protect traffic integrity and confidentiality
> then you need to use a computer authentication method. Certificates is the
> most secure method and any Windows 2000/2003 Server can be a Certificate
> Authority though trusting your CA may be an issue depending on whether or
> not you have access to configure those computers that should be allowed
> access or distribute them the CA's certificate. The problem with
> pre-shared key is that it is stored on the computers that use it in clear
> text in the registry and is could be easily recoverable [see link below].
> If you do not think that is a problem in your situation then it could be a
> viable solution and not being in an AD domain is a plus for its use. If
> you do use be sure to use a complex pre-shared key and change it on a
> regular basis. --- Steve
>
> http://online.securityfocus.com/infocus/1528
> Attacks on IPSec and Other Security Concerns
>
> There are some important security considerations to keep in mind about
> IPSec in Windows:
>
> a.. preshared keys are stored clear text in the registry, accessible by
> administrators
> b.. Active Directory stores IPSec configuration policies, and preshared
> keys in the clear,
>
>
> "Mike McClymont" <mcclymont@sNOhaSPAMw.ca> wrote in message
> news:uVqb9ijuFHA.3104@TK2MSFTNGP10.phx.gbl...
>> Hi All
>>
>>
>>
>> I am trying to add some additional security to a IIS server not in our
>> Domain (Stand alone).
>>
>>
>>
>> I would like to use IPSEC to control who has access to this box and have
>> been successful with IPSEC using the Preshared Key on the Server and
>> Client.
>>
>>
>>
>> Microsoft does not recommend Pre Shared Keys, but what else is available
>> with a non domain server and no PKI infrastructure?
>>
>>
>>
>> Thanks
>>
>> Mike
>>
>>
>
>
- Next message: Dmitry Tochilovsky: "S/MIME signatures for internal email only?"
- Previous message: Brian Komar [MVP]: "Re: Changing Cert template in Win2k3 Enterprise PKI CA"
- In reply to: Steven L Umbach: "Re: IPSEC with non-domain Server"
- Next in thread: Steven L Umbach: "Re: IPSEC with non-domain Server"
- Reply: Steven L Umbach: "Re: IPSEC with non-domain Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
