Re: Securing the communication between all workstations in a domain

From: Steven L Umbach (sumbach@ameritech.net)
Date: 02/17/03


From: "Steven L Umbach" <sumbach@ameritech.net>
Date: Mon, 17 Feb 2003 15:58:29 GMT


Hi Vijay. I am no expert at Ipsec. I would try using the server (request
security) policy in that OU - the secure policy is rather extreme and can
take some tweaking to get it right. . Monitor results using ipsecmon to see
what is going on. You might have to create a custom policy exempting domain
controllers from ipsec traffic by their tcp/ip addresses per knowledge base
article link. Generally from what I have read Ipsec is usually implemented
in such a way that non domain controller servers such as file/application
servers are put in their own OU and assigned either secure server or server
ipsec policy. Then the workstations are put in their own OU with client
ipsec policy. There should be very little if any workstation to workstation
traffic in a high secure network anyway. I think your problem is that the
computers you have assigned ipsec policy to are unable to access the domain
controller, and since the domain controller is the Active Directory dns
server you are unable to find/communicate with ANY other computers until you
exempt the domain controllers from ipsec traffic - a request policy may work
for you to remedy that - I am not sure. Try pinging the domain cotroller by
fully qualified domain name or use nslookup to see if that is an issue.When
I was experimenting with ipsec a while back I noticed it took a while for
new policies to take effect and I usually ended up rebooting a computer to
update it. Again the ipsecmon utility (at the command prompt) was extremely
helpful in troublesooting ipsec. Sorry I could not be of more help. --
Steve

"Ch.Vijay" <vijayr@intelligroup.co.in> wrote in message
news:033501c2d651$30847f80$a201280a@phx.gbl...
> Hi Steve
>
> according to u I placed 2 computers in one OU and
> assigned group policy for that OU. Assigned IPsec polocy
> as Secure server for that OU
>
> After some time both machines are unable to
> communicate with each together as well as domain
> controllers. Domain controllers are able to talk each
> together.
>
> Vijay
>
>
> >-----Original Message-----
> > Possibly one of the domain controllers had not had
> its' policy
> >updated yet when the other domain controller was
> expecting ipsec
> >communications. There are some issues about using ipsec
> on domain
> >controllers, particularly when it comes to communications
> with non domain
> >controllers (member servers and workstations). Ipsecmon
> is very helpful at
> >seeing what is going on. You might want to try using
> request security rule
> >instead which still would give you secure communications
> if all computers in
> >the domain are W2K or later. You could also try putting
> all computers (with
> >exception of domain controllers) in a separate OU with a
> security policy for
> >ipsec defined for them and not involving the domain
> controllers. Most (if
> >not all) communications with and between domain
> controllers that involve any
> >sensitive information is encrypted anyhow, such as
> authentication and Active
> >Directory replication. Of course if you want to use your
> domain controller
> >as a file server than that would be a problem, but that
> is not recommended
> >practice. See links for more info. --- Steve
> >
> >http://support.microsoft.com/?kbid=254949
> >http://www.microsoft.com/windows2000/techinfo/planning/sec
> urity/ipsecsteps.a
> >sp
> >http://www.labmice.net/networking/IPsec.htm
> >
> >
> >"Vijay" <vijayr@intelligroup.co.in> wrote in message
> >news:031401c2d587$330e6d80$a301280a@phx.gbl...
> >> Hi
> >>
> >> I want to secure all the communications between all
> >> workstations and servers and domain controllers in a
> >> domain using IPSec& Kerberose.
> >> How can I implement this in windows2003 domain.
> >> In my test setup when I select default domain policy as
> a
> >> secure server in one of the domain controllers ,
> >> communcation between domain controllers including
> >> replication is not happening? Any solutions..
> >
> >
> >.
> >



Relevant Pages

  • Re: authentication problem
    ... double or triple duty most traffic [authentication and AD replication] is ... laptops and I bring up ipsec as a possible solution with the caveat on ... domain controllers because many admins right away want to enable the require ... policy at the domain level which can bring their network to it's knees. ...
    (microsoft.public.win2000.security)
  • Re: RE: Front End/Back End communication
    ... and stick that in your DMZ. ... your internal mail server. ... If you are thinking about IPSec policies in Windows then you have to ...
    (Focus-Microsoft)
  • Re: IPSec / domain isolation: confusing MS documents
    ... right for access this computer from the network will not work for computer ... If the domain controllers are Windows 2003 I would use Software ... If anyone has another idea how to protect the file server ressources on ... Windows XP systems at a customer location with IPSec. ...
    (microsoft.public.windows.server.security)
  • RE: authentication problem
    ... IPSec is based on the authentication of computers on a network; ... The Active Directory security domain provides this authentication using the ... are used for communication with domain controllers. ... Directory¨Cbased IPSec policy settings are typically applied to domain ...
    (microsoft.public.win2000.security)
  • Re: domain users force only local server access
    ... You can restrict computers using ipsec policies. ... complex topic and domain controllers need to be exempt from any policy to ...
    (microsoft.public.win2000.security)