Re: IPSec to encrypt SMB traffic?
From: Research Services (key_at_lamar.n0-sp@m.colostate.edu.NO)
Date: 01/18/05
- Previous message: ninhovid: "cannot delegate IIS management!!!"
- In reply to: Steve Clark [MSFT]: "Re: IPSec to encrypt SMB traffic?"
- Next in thread: Research Services: "Re: IPSec to encrypt SMB traffic?"
- Reply: Research Services: "Re: IPSec to encrypt SMB traffic?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 18 Jan 2005 07:54:51 -0700
I have read through much of the documentation in the link you provided.
Our environment is a Child Domain in an Active Directory Forest. We have
2000 and 2003 DCs in our Child Domain. All clients are Windows XP and all
of our clients are within our own Domain.
I want to encrypt file sharing traffic between all of our clients and a
particular Windows 2003 file server. Basically, I don't want Word and Excel
files saved on the file server to be sent across the network in plain text.
If I understand it correctly, I must create a "server" IPSec policy on the
Windows 2003 box, and I must create "client" IPSec polices on all of the
Windows XP boxes. For testing purposes, I have created the IPSec polices in
the Local Security Policy on each computer (later I will move them to being
Group Policy-controlled).
Below I will explain how I created my policies - can you take a look and see
if there is anything wrong or not recommended? They do appear to be working
correctly when we packet sniff.
1) Created a new IP Security Policy (CLIENT)
a. Removed all entries under Key Exchange Security Method except for:
3DES/SHA1
2) Created a new Rule (leaving the Default Response rule intact)
3) Created a new IP Filter List (leaving the All IP & ICMP Traffic
default lists intact) - this new list is the Selected one (Radio Button)
a. Mirrored: Yes
b. Protocol: TCP
c. Source Port: ANY
d. Destination Port: 445
e. Source IP Address: 'My IP Address'
f. Destination Address: <IP Address of File Server>
4) Authentication Method: Kerberos
5) Tunneling: NO
6) Connection Type: All Network Connections
7) Filter Action: Selected 'Require Security'
a. Negotiate Security
b. Removed all entries except: 3DES/SHA1
c. Uncheck all option boxes on Security Methods Tab
1) Created a new IP Security Policy (SERVER)
a. Removed all entries under Key Exchange Security Method except for:
3DES/SHA1
2) Created a new Rule (leaving the Default Response rule intact)
3) Created a new IP Filter List (leaving the All IP & ICMP Traffic
default lists intact) - this new list is the Selected one (Radio Button)
a. Mirrored: Yes
b. Protocol: TCP
c. Source Port: ANY
d. Destination Port: 445
e. Source IP Address: <IP Address of Test Client>
f. Destination Address: <IP Address of File Server>
4) Authentication Method: Kerberos
5) Tunneling: NO
6) Connection Type: All Network Connections
7) Filter Action: Selected 'Require Security'
a. Negotiate Security
b. Removed all entries except: 3DES/SHA1
c. Uncheck all option boxes on Security Methods Tab
Once these were created, I assigned them on both the server and the clients,
encrypted communications works fine.
Questions:
1) If I have a small number of clients, can I just add Filters with
each of the client IP addresses to the Server IP Filter List? (Eventually I
will add a 'Specific IP Subnet')
2) It looks like only 1 Filter List can be selected with a Radio
Button, so is this the only one in the list that is being acted on? If so,
is that the same case for the 'Filter Action'?
3) Can I edit the 'Default Response' Rule? Or is it best to leave it
untouched? In particular, I'd like to remove all but the 3DES/SHA1
Encryption and Integrity Security Method.
4) Can I safely change the Connection Type: to: LAN if the only way
for these clients to access the file server is through the LAN. (We don't
have any 'remote access' servers in the mix)
5) Is there anything else I can do to "streamline" this IPSec policy
(i.e., remove any of the other default rules or lists)?
6) I did notice the increased CPU load on the server when copying large
files across the encrypted connection, is there any way to 'help out' the
CPU short of lowering the encryption to DES or removing encryption
altogether? (hardware or software solution.?)
Thank you for taking to time to review these and help me sort this out!
"Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
news:OOun04M$EHA.2032@tk2msftngp13.phx.gbl...
> Do you require encryption of this traffic, or just authentication?
>
> You can use IPsec transport mode to secure communications such that any
> machine that can not AuthN with IKE will be unable to communicate. This
> means that a user will never get prompted for credentials since IKE fails.
>
>
>
> "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
> news:uWsyCHp%23EHA.3236@TK2MSFTNGP15.phx.gbl...
>>
>> Are there any MS KB articles or whitepapers that detail how to use IPSec
>> to encrypt SMB traffic?
>>
>> We are in an Active Directory Forest, and would like to use Group Policy
>> to configure IPSec to encrypt SMB traffic between all of our Windows XP
>> clients and our Windows 2003 File Servers (using Kerberos). Is it
>> possible to set this up so _only_ TCP 445 on _particular_ servers will
>> always be encrypted when communicating with our XP clients?
>> We are not currently using IPSec and would like to enable encryption for
>> ONLY the case mentioned above if possible.
>>
>> Thanks for any information.
>>
>>
>
>
- Previous message: ninhovid: "cannot delegate IIS management!!!"
- In reply to: Steve Clark [MSFT]: "Re: IPSec to encrypt SMB traffic?"
- Next in thread: Research Services: "Re: IPSec to encrypt SMB traffic?"
- Reply: Research Services: "Re: IPSec to encrypt SMB traffic?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
