Re: Securing Communication Between Domain Members and their Domain Controllers

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/27/04


Date: Thu, 27 May 2004 01:21:53 GMT

Authentication traffic of course is already protected via kerberos. You may want to
look into using an ipsec tunnel into a gateway computer or ipsec endpoint device or
setting up a rras server and then using lt2p for the connection into your network for
the computers from the dmz being l2tp clients. If you use rras you can use Remote
Access Policy with input/output filters to manager what traffic goes where. Ideally
you would want to use certificates instead of preshared key for machine
authentication. It is not hard to configure a CA on your network for such. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;252735

"Stuart Coney" <NOSPAM_StueyC_News@msn.com> wrote in message
news:%23XeT%23uvQEHA.808@tk2msftngp13.phx.gbl...
> Hello all,
>
> I have been searching (and searching) the Microsoft site for information on
> "Securing Communication Between Domain Members and their Domain
> Controllers".
>
> Overview
> =======
> We are looking at a migration from an NT4 domain plus a large number of DMZ
> (perimeter in MS Speak) located stand alone servers. The idea is to
> integrte them into a single secure Active Directory Domain.
>
> The DC's for the domain will be located in a secured network seperate from
> both the DMZ and internal network environments and access will be controlled
> through firewalls. As all servers in the domain are located at location
> all DC's will be located in the secure network, therefore all DC replication
> will occur in the secure netwrok.
>
> The forest containing this domain will be seperate from the corporate
> forest.
>
> The problem
> =========
> We want to secure communication between the member servers in the DMZ with
> the DC's. My original thought of IPSec has been ruled out due to specific
> information on the MS site "Using IPSec to help secure traffic between
> domain members (either clients or servers) and their domain controllers is
> not recommended"...due to increased latency in authentication, increased DC
> load and complexity of ipsec management etc.
>
> My next thought was whether we could use LDAP SSL and configure the DC's and
> member servers to communicate this way, looking through the MS tech. support
> I have found several documents relating to configuring LDAP SSL between DC's
> for replication but none for general secure connections between member
> servers and DC's.
>
> ====
> Can anybody advise for the above scenario the best practice for securing
> communication between the member servers and domain controllers?
>
> much appreciated
> Stu
>
>



Relevant Pages

  • Re: NFS and Backups
    ... I have NFS client and Servers running OK, ... > NFS is not secure at all. ... Raw speed, no IPsec: ...
    (freebsd-questions)
  • Re: Ace Password Sniffer : How does it work ?
    ... >> Another protocol that offers same is IPSec. ... >> authentication and secure transfer of data between server and client ... >> would be pretty hard to use SSL to secure data exchanged between ... Once you are done with the secured login, ...
    (microsoft.public.security)
  • Re: Pakistan to ban encryption software
    ... aimed at servers. ... It's at least as secure as sending mail, ... emailing work from home is an example. ... are often used for personal communications, ...
    (uk.legal)
  • Re: How the #$%& can it be possible!
    ... They should have had secured servers and controlled all the log ins and any ... who is doing what no matter how "secure" your servers are. ... some incredibly HUGE factor the tune changes, doesn't it weasel? ... My business with them is privacy, ...
    (alt.privacy)
  • Re: IPSEC with non-domain Server
    ... Certificates are not the "most secure", rather, they are one of the 2 "more ... > authenticate computers and protect traffic integrity and confidentiality ... > Attacks on IPSec and Other Security Concerns ...
    (microsoft.public.security)