Re: Prevent logon without certificate
From: Mark Gamache (mark.gamache_at_css-security.com)
Date: 01/26/05
- Next message: Art Vandelay: "Re: Prevent logon without certificate"
- Previous message: Mark Gamache: "Re: Prevent logon without certificate"
- In reply to: Miha Pihler [MVP]: "Re: Prevent logon without certificate"
- Next in thread: Miha Pihler [MVP]: "Re: Prevent logon without certificate"
- Reply: Miha Pihler [MVP]: "Re: Prevent logon without certificate"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 26 Jan 2005 13:12:13 -0800
Mike, can you tell me a bit about how 802.1X can be bypassed?
Thanks
Mark G.
"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:%23r$hb88AFHA.1296@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> There are few things to watch out for. You can't really use IPSec between
> client and DC if you use Kerberos as authentication protocol (you could
> use IPSec if you used Certificates based authentication or pass phrase --
> which should not be used in production environment). Last thing I heard on
> using IPSec between clients and DCs is that it is not supported by PSS.
> One of the problem with IPSec, Kerberos, domain controllers and clients is
> that clients must first be able to talk to the DC before it can establish
> IPSec and it can not establish IPSec if you set domain controller to
> "Secure Server - (Require Security)"...
>
> 802.1x also has it's limitations and can be bypassed, but physical
> security and quite some knowledge is required...
>
> My main question is, why would certificate be a requirement (I can see
> some advantages, but I would like to see if Art has a good reason for this
> or is there a better solution -- e.g. Smart Card for users)? Who can add
> computers to domain? By default "Authenticated Users can add 10 computers
> to domain, but if you change the policy only domain administrators (or
> another group of users) will be able to add computers to domain...
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Mark Gamache" <gsdf> wrote in message
> news:u4GTZf8AFHA.1524@TK2MSFTNGP09.phx.gbl...
>> There is no direct setting for this, but you can use other technologies
>> for this such as port based authentication (802.1X) or requiring IPSec
>> using a policy that uses certs for the auth type. You should also
>> require users to use smartcards to logon. This would use a cert on the
>> smart card, however the machine account would have already logged in.
>> IPSec and 802.1X both can prevent the computer account from gaining
>> access, however, IPSec can pretty complex if you are new to it.
>>
>> Mark Gamache
>> CSS
>>
>> "Art Vandeley" <idozaf@gmail.com> wrote in message
>> news:35ppp5F4pakqqU1@individual.net...
>>> Hi there,
>>> We're messing about with certificate services on a test windows 2003
>>> server at the moment. We have it installed and apparently working. Other
>>> PCs are able to log onto the CA and request a certificate.
>>> What we don't know though, is how to stop a PC without a certificate
>>> from logging on to the domain. I presume it's a group policy but I can't
>>> find it anywhere.
>>>
>>> Cheers.
>>>
>>
>>
>
>
- Next message: Art Vandelay: "Re: Prevent logon without certificate"
- Previous message: Mark Gamache: "Re: Prevent logon without certificate"
- In reply to: Miha Pihler [MVP]: "Re: Prevent logon without certificate"
- Next in thread: Miha Pihler [MVP]: "Re: Prevent logon without certificate"
- Reply: Miha Pihler [MVP]: "Re: Prevent logon without certificate"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
