Re: secure server policy
From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 07/02/04
- Next message: Steven L Umbach: "Re: RAS is wasting my DHCP IP address"
- Previous message: Miha Pihler: "Re: Deleted the standard installed certificates"
- In reply to: new question: "Re: secure server policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 2 Jul 2004 18:45:25 +0200
Authentication data to DC is already protected using Kerberos protocol (by
default)... For non w2k clients or later NTLM v2 is used... (by default).
Even Windows 98 can use it (not by default)...
If you would like to have more security make sure you are not using LM
Hashes anywhere (you should be using NTLM v2)...
Mike
"new question" <newquestion@discussions.microsoft.com> wrote in message
news:FB276062-D7A1-42A0-836A-FE9C2A1DEFD4@microsoft.com...
> thaks a lot ;
> What is solutions to protect authentication data client to DC .
>
> Steven Umbach" wrote:
>
>> Be very careful with ipsec policies. Ipsec policies between domain
>> members must
>> exempt domain controllers based on their static IP addresses or you will
>> experience a lot of problems. MS does not support ipsec negotiation
>> policy
>> between domain members and domain controllers because of the way machine
>> authentication works in ipsec. See the links below for more details. ---
>> Steve
>>
>> http://support.microsoft.com/?kbid=254949
>> http://tinyurl.com/3yvnl -- link to a previous thread on this topic.
>>
>> From Windows 2003 Deployment Guide :
>> Requiring IPSec for communication between Active Directory domain members
>> and
>> domain controllers might block connections
>> IPSec is based on the authentication of computers on a network;
>> therefore,
>> before a computer can send IPSec-protected data, it must be
>> authenticated. The
>> Active Directory security domain provides this authentication using the
>> Kerberos
>> protocol. Accordingly, when IKE uses Kerberos to authenticate, the
>> Kerberos
>> protocol and other dependent protocols (DNS, UDP LDAP and ICMP) are used
>> for
>> communication with domain controllers. Additionally, Active
>> Directory-based
>> IPSec policy settings are typically applied to domain members through
>> Group
>> Policy. As a result, if IPSec is required from domain members to the
>> domain
>> controllers, authentication traffic will be blocked and IPSec
>> communications
>> will fail. In addition, no other authenticated connections can be made
>> using
>> other protocols, and no IPSec other policy settings can be applied to
>> that
>> domain member through Group Policy. **For these reasons, using IPSec for
>> communications between domain members and domain controllers is not
>> supported**
>>
>>
>> "new question" <new question@discussions.microsoft.com> wrote in message
>> news:448147CF-76FE-4C37-8853-F68C60F330FD@microsoft.com...
>> > hi
>> > I experienced a problem when I deployed default secure server ipsec
>> > policy to
>> all my domain. Some clients didnt join after restart. We wait for very
>> long
>> time. We logged local machine. And edit local policy .Assigned secure
>> server to
>> local. And then machine restarted. Client machine logged successfull.
>> > I want to learn that we cant apply secure server policy to all domain ?
>>
>>
>>
- Next message: Steven L Umbach: "Re: RAS is wasting my DHCP IP address"
- Previous message: Miha Pihler: "Re: Deleted the standard installed certificates"
- In reply to: new question: "Re: secure server policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
