Re: Secure all IP Traffice in domain

From: Steven L Umbach (n9rou@attbi.com)
Date: 02/18/03 

From: "Steven L Umbach" <n9rou@attbi.com>
Date: Tue, 18 Feb 2003 03:44:56 GMT

          Ipsec can be used to secure traffic, however Microsoft states that
you can not use it to secure traffic between domain controllers and non
domain controllers (workstations and member servers), at least on Windows
2000 - I am not sure about Windows 2003. So you need to careful with how you
set it up or you can shut down your network if none of the clients can
access a domain controller. What you could do is put your workstations and
member servers in a OU and assign the secure server ipsec policy to it via a
new group policy for that OU. However you would have to add a rule or rules
to it that would exempt the domain controllers by referring to them by their
tcp/ip addresses and using a "permit" instead of a require rule. Windows
XP/2003 has a much advanced ipsec monitoring utility that you can access via
a mmc snap in to see your rules in action. Also keep in mind that the secure
ipsec policy will not allow your computers to communicate with any other
computer outside of your domain. So if you need internet access you would
need to add more rules to the policy permitting outbound access for ports
80,443,53,110,25, etc. See attached links. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;254949
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.a
sp
http://www.labmice.net/networking/IPsec.htm

"Prashanth" <kmanasa@yahoo.com> wrote in message
news:02c401c2d652$8a07e230$a401280a@phx.gbl...
> HI.
> Iam using .Net servers and clients as windows XP. I want
> to secure all traffic between clients to clients & clients
> to servers & servers to servers. Can i do this Using
> IPsec policy using kerberose Authentication or
> Certifictes?. What u Suggests. My main onjectives is any
> other domain machine or standalone machine should not able
> to communicate with My domain any machine.
>
> Any body can help me to resolve this issue. Iam in very
> critical stage.
>
> Thanks in advance
>
> Prashanth.

Relevant Pages

  • Re: Enumerate Windows NT4 *Servers*
    ... Windows NT Workstation and Windows NT Server are both noted in Active ... snippet that also excludes domain controllers from the search results: ... Are you saying the value of operatingSystem is the same for member servers ... report the OS as the same as NT4 Workstations. ...
    (microsoft.public.windows.server.scripting)
  • Re: Would a firewall prevent Sasser worm?
    ... with a zillion articles on how to secure a Windows ... >>had my own IIS servers and Exchange, and FTP, and etc... ... >>on Windows platforms as well as Linux platforms. ...
    (comp.security.misc)
  • Re: Would a firewall prevent Sasser worm?
    ... with a zillion articles on how to secure a Windows ... >>had my own IIS servers and Exchange, and FTP, and etc... ... >>on Windows platforms as well as Linux platforms. ...
    (comp.security.firewalls)
  • Re: Would a firewall prevent Sasser worm?
    ... with a zillion articles on how to secure a Windows ... >>had my own IIS servers and Exchange, and FTP, and etc... ... >>on Windows platforms as well as Linux platforms. ...
    (alt.computer.security)
  • Re: "Shanghai Stock Exchange" and OpenVMS
    ... While XP sees fairly frequent Windows updates ... it is a desktop OS and if your using it for servers your an idiot anyway. ... the employees violated them it isn't Windows fault. ... secure, but what is actually done in real life. ...
    (comp.os.vms)