Re: IPSec / domain isolation: confusing MS documents
- From: "Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx>
- Date: Wed, 26 Jul 2006 09:37:07 +0200
Thank you all for your input and ideas, and also the hint from Miha to the
interesting KB article 822158
Have also found an interesting checklist at
http://searchwindowssecurity.techtarget.com/tip/1,289483,sid45_gci1024016,00.html.
There is an additional idea: Restrict User Logons to specific machines. Have
tested this in a VM environment and it works as expected. A user with his
private notebook can not attach to ressources on the server with his user
credentials. It's not very good security, because when the home user rename
his private notebook to the same name than his corporate workstation, he is
able to attach to server ressources again, but for our customer, it's a
useful obstacle for the average user.
Franz
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> schrieb im Newsbeitrag
news:O6hxeCBsGHA.696@xxxxxxxxxxxxxxxxxxxxxxx
Hi Franz.
I though there might be problems with Exchange so too bad that is not a
possibility. Like I said if the owners of the networks do not want to make
an investment in funds to update their networks then what they want is
simply not possible using ipsec and that is their choice. I would however
suggest to then that they implement a strict computer user policy and they
follow other best security practices such as those I mentioned that can
minimize risk.
Steve
"Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx> wrote in message
news:OmdiUm8rGHA.4652@xxxxxxxxxxxxxxxxxxxxxxx
Hi Steve
Thank you very much for your work and time for the detailed feedback!
I see the main point now (never using DC's also as file servers), even if
this is difficult to realize in small companies and in branch offices in
larger comanies.
We have tested the policy you mentioned (refusing NTLM and LM
authentication) in other projects and found that this doesn't work in a
Windows 2003 SP1 environment with Exchange 2003 SP2: The Mailbox Manager
process doesn't work anymore after this setting is enabled on domain
corntrollers.
Franz
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> schrieb im
Newsbeitrag news:Or0RaB0rGHA.4240@xxxxxxxxxxxxxxxxxxxxxxx
As Mike said the best option is to not use domain controllers for file
servers but my guess is that will not fly. If they currently are using
managed switches then you might see if the switches can do mac filtering
which could be enabled and the table would only contain the mac
addresses of domain computers. Of course this will not stop a determined
attacker but it would be worth implementing and stop the average user.
The user right for access this computer from the network will not work
for computer accounts unless ipsec is being used. If the customers do
not want to make any investment in equipment and/or software then they
are pretty much stuck with what they have and that is THEIR decision in
managing risk. Their best option at that point would be to enforce a
strict computer user policy that prohibits non domain computers on the
network with stated consequences.
Having said that best practices such as keeping domain controllers
patched with critical security updates, making sure that regular users
are not in privileged domain accounts, NEVER logging onto a "not known
to be totally secure" domain computer with a domain administrator
account, disabling unneeded services on the domain controller, and using
enforcing strong passwords in the domain will go a long ways to securing
a domain controller.
If the domain controllers are Windows 2003 I would use Software
Restriction Policies creating a path rule to the folders that the users
have write access to in order to prevent any file execution from that
folder assuming none is needed. Also while this may work it should not
be considered a secure solution. If it does not cause any problem use
Domain Controller Security Policy and go to local policies/security
options and set the security option for lan manager authentication level
to be send NTLMV2 response only\refuse LM and NTLM. The reason is that
may help is most likely the user's laptop will be configured to use LM
or NTLM as the default setting. However using NTLMV2 response
only\refuse LM and NTLM can break some services such as server running
remote access and maybe Exchange so make sure to test that setting
thoroughly before implementing.
Steve
"Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx> wrote in message
news:OcuAl0urGHA.1732@xxxxxxxxxxxxxxxxxxxxxxx
Thank you both for your feedback! No it's clear to me that IPSec can't
protect ressources located on DC's.
On our customers location, employees often bring their own home
notebooks in the office, then attach them to the network and connect to
the corpoarte file ressources that are located on DC's with their
domain user accounts. The goal that the customer wants is that access
to the corporate resources is only possible for machines that are
member of the domain. Network Access Authentication with 802.1x is not
an option, it would require new Hardware.
Thought first to enable the user/machine right "access this computer
from the network" only to domain members. But when this setting is
effective on the DC's, it wouldn't be possible to install new machines
(over RIS) and joining them to the domain.
If anyone has another idea how to protect the file server ressources on
DC's from access from unauthorized machines, I would appreciate to
know, thank you all in advance!
Franz
"Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx> schrieb im
Newsbeitrag news:e5jjoyArGHA.4240@xxxxxxxxxxxxxxxxxxxxxxx
We are reserching possibilities to secure Windows 2003 Server SP1 and
Windows XP systems at a customer location with IPSec. All the domain
controllers also host other services like file and printing
ressources. Have read several papers, and whats confusing me is that
according to Microsoft, domain controllers can't be protected at all.
For example, in the Microsoft document "Interoperability
Considerations for IPsec Server and Domain Isolation", downloadable at
http://www.microsoft.com/downloads/details.aspx?FamilyId=10359569-EF11-499A-9E1F-85DA3FCA608C&displaylang=en
is the following text:
"Domain controllers: An IPsec connection between a domain controller
and a domain member is currently not supported, in part because a
client must connect to a domain controller to get a Kerberos ticket
and cannot use IPsec until after it has authenticated. (Although it is
possible to use IPsec between a domain controller and a domain member
when certificate authentication is used, doing so is also not
currently supported.)"
Is this statement still correct?
Can someone explain me why it is not possible to secure for example
all SMB traffic with IPSec between domain controllers and client
systems?
Thank you all in advance for any help!
Franz
.
- Follow-Ups:
- Re: IPSec / domain isolation: confusing MS documents
- From: Steven L Umbach
- Re: IPSec / domain isolation: confusing MS documents
- References:
- IPSec / domain isolation: confusing MS documents
- From: Franz Schenk
- Re: IPSec / domain isolation: confusing MS documents
- From: Franz Schenk
- Re: IPSec / domain isolation: confusing MS documents
- From: Steven L Umbach
- Re: IPSec / domain isolation: confusing MS documents
- From: Franz Schenk
- Re: IPSec / domain isolation: confusing MS documents
- From: Steven L Umbach
- IPSec / domain isolation: confusing MS documents
- Prev by Date: Re: Auditing folders that users dont have permissions to
- Next by Date: Security Update MS06-033 / KB 917283
- Previous by thread: Re: IPSec / domain isolation: confusing MS documents
- Next by thread: Re: IPSec / domain isolation: confusing MS documents
- Index(es):
Relevant Pages
|
