Re: IPSec / domain isolation: confusing MS documents
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 26 Jul 2006 18:54:12 -0500
Clever. I like that and am going to remember that trick. I did not realize
that access to a network share was denied if the user was not logged onto
their list of allowed domain computers. I tried it also and got some obscure
error message that would not tip the user off as to what was happening.
Certainly not manageable in all but the smallest domains but if it works for
their needs that is great. Yes I agree that a barrier for the average user
is certainly worth pursing. I assume most everybody locks their house and
car doors even though that will not stop the determined criminal. After all
I can just go on your roof and saw a hole in it to get in or simply tow your
car away.
Steve
"Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx> wrote in message
news:OQEUOZIsGHA.1888@xxxxxxxxxxxxxxxxxxxxxxx
Thank you all for your input and ideas, and also the hint from Miha to the
interesting KB article 822158
Have also found an interesting checklist at
http://searchwindowssecurity.techtarget.com/tip/1,289483,sid45_gci1024016,00.html.
There is an additional idea: Restrict User Logons to specific machines.
Have tested this in a VM environment and it works as expected. A user with
his private notebook can not attach to ressources on the server with his
user credentials. It's not very good security, because when the home user
rename his private notebook to the same name than his corporate
workstation, he is able to attach to server ressources again, but for our
customer, it's a useful obstacle for the average user.
Franz
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> schrieb im
Newsbeitrag news:O6hxeCBsGHA.696@xxxxxxxxxxxxxxxxxxxxxxx
Hi Franz.
I though there might be problems with Exchange so too bad that is not a
possibility. Like I said if the owners of the networks do not want to
make an investment in funds to update their networks then what they want
is simply not possible using ipsec and that is their choice. I would
however suggest to then that they implement a strict computer user policy
and they follow other best security practices such as those I mentioned
that can minimize risk.
Steve
"Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx> wrote in message
news:OmdiUm8rGHA.4652@xxxxxxxxxxxxxxxxxxxxxxx
Hi Steve
Thank you very much for your work and time for the detailed feedback!
I see the main point now (never using DC's also as file servers), even
if this is difficult to realize in small companies and in branch offices
in larger comanies.
We have tested the policy you mentioned (refusing NTLM and LM
authentication) in other projects and found that this doesn't work in a
Windows 2003 SP1 environment with Exchange 2003 SP2: The Mailbox Manager
process doesn't work anymore after this setting is enabled on domain
corntrollers.
Franz
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> schrieb im
Newsbeitrag news:Or0RaB0rGHA.4240@xxxxxxxxxxxxxxxxxxxxxxx
As Mike said the best option is to not use domain controllers for file
servers but my guess is that will not fly. If they currently are using
managed switches then you might see if the switches can do mac
filtering which could be enabled and the table would only contain the
mac addresses of domain computers. Of course this will not stop a
determined attacker but it would be worth implementing and stop the
average user. The user right for access this computer from the network
will not work for computer accounts unless ipsec is being used. If the
customers do not want to make any investment in equipment and/or
software then they are pretty much stuck with what they have and that
is THEIR decision in managing risk. Their best option at that point
would be to enforce a strict computer user policy that prohibits non
domain computers on the network with stated consequences.
Having said that best practices such as keeping domain controllers
patched with critical security updates, making sure that regular users
are not in privileged domain accounts, NEVER logging onto a "not known
to be totally secure" domain computer with a domain administrator
account, disabling unneeded services on the domain controller, and
using enforcing strong passwords in the domain will go a long ways to
securing a domain controller.
If the domain controllers are Windows 2003 I would use Software
Restriction Policies creating a path rule to the folders that the users
have write access to in order to prevent any file execution from that
folder assuming none is needed. Also while this may work it should not
be considered a secure solution. If it does not cause any problem use
Domain Controller Security Policy and go to local policies/security
options and set the security option for lan manager authentication
level to be send NTLMV2 response only\refuse LM and NTLM. The reason is
that may help is most likely the user's laptop will be configured to
use LM or NTLM as the default setting. However using NTLMV2 response
only\refuse LM and NTLM can break some services such as server running
remote access and maybe Exchange so make sure to test that setting
thoroughly before implementing.
Steve
"Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx> wrote in message
news:OcuAl0urGHA.1732@xxxxxxxxxxxxxxxxxxxxxxx
Thank you both for your feedback! No it's clear to me that IPSec can't
protect ressources located on DC's.
On our customers location, employees often bring their own home
notebooks in the office, then attach them to the network and connect
to the corpoarte file ressources that are located on DC's with their
domain user accounts. The goal that the customer wants is that access
to the corporate resources is only possible for machines that are
member of the domain. Network Access Authentication with 802.1x is not
an option, it would require new Hardware.
Thought first to enable the user/machine right "access this computer
from the network" only to domain members. But when this setting is
effective on the DC's, it wouldn't be possible to install new machines
(over RIS) and joining them to the domain.
If anyone has another idea how to protect the file server ressources
on DC's from access from unauthorized machines, I would appreciate to
know, thank you all in advance!
Franz
"Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx> schrieb im
Newsbeitrag news:e5jjoyArGHA.4240@xxxxxxxxxxxxxxxxxxxxxxx
We are reserching possibilities to secure Windows 2003 Server SP1 and
Windows XP systems at a customer location with IPSec. All the domain
controllers also host other services like file and printing
ressources. Have read several papers, and whats confusing me is that
according to Microsoft, domain controllers can't be protected at all.
For example, in the Microsoft document "Interoperability
Considerations for IPsec Server and Domain Isolation", downloadable
at
http://www.microsoft.com/downloads/details.aspx?FamilyId=10359569-EF11-499A-9E1F-85DA3FCA608C&displaylang=en
is the following text:
"Domain controllers: An IPsec connection between a domain controller
and a domain member is currently not supported, in part because a
client must connect to a domain controller to get a Kerberos ticket
and cannot use IPsec until after it has authenticated. (Although it
is possible to use IPsec between a domain controller and a domain
member when certificate authentication is used, doing so is also not
currently supported.)"
Is this statement still correct?
Can someone explain me why it is not possible to secure for example
all SMB traffic with IPSec between domain controllers and client
systems?
Thank you all in advance for any help!
Franz
.
- References:
- IPSec / domain isolation: confusing MS documents
- From: Franz Schenk
- Re: IPSec / domain isolation: confusing MS documents
- From: Franz Schenk
- Re: IPSec / domain isolation: confusing MS documents
- From: Steven L Umbach
- Re: IPSec / domain isolation: confusing MS documents
- From: Franz Schenk
- Re: IPSec / domain isolation: confusing MS documents
- From: Steven L Umbach
- Re: IPSec / domain isolation: confusing MS documents
- From: Franz Schenk
- IPSec / domain isolation: confusing MS documents
- Prev by Date: Re: Ability to list groups member of a trusted domain is in
- Next by Date: Re: Allow non-Administrator to view and terminate processes for all users
- Previous by thread: Re: IPSec / domain isolation: confusing MS documents
- Next by thread: FTP Attack
- Index(es):
Relevant Pages
|
