Re: Initial IPSEC policy

From: Gino (cosine_at_covad.net)
Date: 01/30/04

  • Next message: Thomas: "Always ask before opening this type of file" 
    Date: Fri, 30 Jan 2004 15:26:32 -0500

    You can secure IPSEC traffic by using Kerberos, certificates, or shared
    keys. Shared keys is the easiest and quickest way to secure traffic, the
    only concern is the shared key pair is in plain text on the machines. If I
    understand your question right, I don't think this would be a problem if
    your servers are secure from having just anyone logon, and besides right now
    you don't have anything to secure your TCP/IP traffic between the servers.

    "Harald Haitsma" <harald.haitsma@acs.it> wrote in message
    news:%23eVI9$W5DHA.2560@TK2MSFTNGP09.phx.gbl...
    > I would like to secure all the IP-Traffic between certain PCs with the DC.
    > I tried to set the policy so kerberos ist not secure. But i can't get the
    > other policy working. Any ideas what went wrong?
    >
    > thxs
    > Harald
    >
    > "Chris" <chris@dev.nul> schrieb im Newsbeitrag
    > news:%23ET0EXT5DHA.2496@TK2MSFTNGP09.phx.gbl...
    > > No this is still the same in XP and 2003. You are referring to
    > > http://support.microsoft.com/default.aspx?kbid=254949
    > >
    > > Non-domain members could never join the domain if your DC's required
    > > kerberos authenticated IPSec communication across the board.
    > >
    > > Chris Weber
    > >
    > >
    > >
    > > "Harald Haitsma" <haraldhaitsma@hotmail.com> wrote in message
    > > news:eDS$53Q5DHA.2540@TK2MSFTNGP11.phx.gbl...
    > > > I Have a Win2003 Domain with only WinXP clients.
    > > >
    > > > On a Win2000 Server i read following:
    > > > Using IP Security (IPSec) to protect traffic from a non-domain member
    to
    > > the
    > > > domain controller is currently not supported in Windows 2000 because
    it
    > is
    > > > not possible for non-domain computers to get the initial IPSec policy
    > from
    > > > the domain controller once a domain controller (DC) requires IPSec to
    > > > communicate, and because non-domain member computers cannot use
    Kerberos
    > > as
    > > > the IPSec/IKE authentication method to authenticate IKE with their
    > domain
    > > > controller and with trusted domain controllers on the domain in all
    > cases.
    > > >
    > > > Is this changed within XP and 2003?
    > > >
    > > > Thxs
    > > >
    > > >
    > > >
    > >
    > >
    >
    >

  • Next message: Thomas: "Always ask before opening this type of file"

    Relevant Pages

    • Re: Avoid sending current credentials automatically over the network
      ... Windows has SSP's for Kerberos, NTLM, and Schannel. ... Windows will try to use the "most secure" first, ... Cenzic Hailstorm finds vulnerabilities fast. ...
      (Pen-Test)
    • Re: Is it possible to secure replication?
      ... You secure RPC with IPsec, not with Kerberos. ... you add 2 network cards to each DC. ...
      (microsoft.public.windows.server.security)
    • Re: Is it possible to secure replication?
      ... You secure RPC with IPsec, not with Kerberos. ... you add 2 network cards to each DC. ...
      (microsoft.public.win2000.security)
    • Re: Initial IPSEC policy
      ... > You can secure IPSEC traffic by using Kerberos, certificates, or shared ... Shared keys is the easiest and quickest way to secure traffic, ... >> I tried to set the policy so kerberos ist not secure. ...
      (microsoft.public.windows.server.security)
    • Is WSE 3 and Kerberos useful for securing services at the method level?
      ... I am designing some services that I am thinking would be good to secure ... Kerberos to secure at the method level. ... group "MyAppAdmin" which gives a user access to more methods on the service ... service level authentication is pretty much built in. ...
      (microsoft.public.dotnet.framework.webservices.enhancements)
    • Quantcast