Re: Assign Domain Security Policy/Manage remote computer
From: Raymond Sinnappan [MS] (raymonds@online.microsoft.com)
Date: 03/30/03
- Next message: Karl Levinson [x y] mvp: "Re: winVNC window during logon"
- Previous message: S. Pidgorny [MVP]: "Re: Stop the use of USB mass storage"
- In reply to: Martin: "Assign Domain Security Policy/Manage remote computer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Raymond Sinnappan [MS]" <raymonds@online.microsoft.com> Date: Sun, 30 Mar 2003 02:30:49 -0800
Hi Martin, Given your policy it looks like you're also securing traffic from
the clients to their DC/AD server. This is a pretty tricky scenario and is
not supported by Microsoft officially
(http://support.microsoft.com/default.aspx?scid=kb;en-us;254949) so you need
to exempt client to DC traffic from ipsec. If you still want to secure
client-to-DC traffic there some things you can do to improve the situation
and work around based on your requirements.
In general it's difficult to secure from the DC to the client, because the
first problem is that client has to get policy from the DC as well as
perform other DC dependent boot-up service initialization. If you enforce
IPSec to the DC during this time, these service initializations will fail
because they need a communication link to the DC; however at the at the same
time IPSec is dependent on these services initializing, so we have vicious
circle.
I would suggest as a first cut that you add an additional rule to permit all
traffic from clients to DC (in addition to your all traffic secure rule*);
this will at least confirm that this is the root of your problems. Next you
can either sniff bootime traffic from your clients to your DC and explicitly
exempt only those types of traffic (a painful exercise). Alternatively, I
would reccomend that you keep the permit-traffic-to-DC rule and add
secure-to-dc rules that secure selected traffic (for example http,
netbios-over-tcp etc..) which you know are not use during boot time.
Another important thing, is to make sure that if you are using kerberos as
the authentication method you have it exempted as described in
http://support.microsoft.com/?kbid=254728 (make NoDefaultExempt is set 0 so
that kerberos is exempted).
* As we discussed in a previous thread, the rules will be ordered by
specificity. And yes the address specificity is more important than
protocol and port. Source and destination specificity are considered equal
in importance.
-- This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "Martin" <x@y.z> wrote in message news:eHQYN4S9CHA.3412@TK2MSFTNGP11.phx.gbl... > Hi, > > I've just setup active direcotry, and added other computers to the new > domain - maintained backwards compatibility with domains, though I did not > have a domain before. > > From my AD server, I can see the other computers and they can also see each > other. > > I have defined an ISPec policy that I want all computers in the domain to > adopt. I defined it in the Domain Security Policy section on my AD server. > How do I apply it to the other computers in my domain? Simply doing assign > by the new policy doesn't seem to work - though there may be an error in my > policy settings. > Roughly the policy has IP filter source My Address, dest Any IP Address, All > protocols, and mirror. I had previously used a similar policy explictly > setup on two separate computers to secure traffic between the two. Now I > want to have a policy that is administered from AD. > > I believe I don't need to define this policy anway else, but each computer > in my domain needs to adopt it - how do I make that happen? > > I tried to do Computer Management on one of the domain members, from my AD > server, but although I can browse to it, and the shares fine, I can't do > Computer Management of it from my AD server. I can see the name when I'm > asked what computer to manage, but it then says "Computer \\mc1.domain.com > cannot be managed. The network path was not found." > > Help! > > Thanks > Martin > >
- Next message: Karl Levinson [x y] mvp: "Re: winVNC window during logon"
- Previous message: S. Pidgorny [MVP]: "Re: Stop the use of USB mass storage"
- In reply to: Martin: "Assign Domain Security Policy/Manage remote computer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
