Re: IPSec / domain isolation: confusing MS documents

Hi Franz.

I though there might be problems with Exchange so too bad that is not a
possibility. Like I said if the owners of the networks do not want to make
an investment in funds to update their networks then what they want is
simply not possible using ipsec and that is their choice. I would however
suggest to then that they implement a strict computer user policy and they
follow other best security practices such as those I mentioned that can
minimize risk.

Steve

"Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx> wrote in message
news:OmdiUm8rGHA.4652@xxxxxxxxxxxxxxxxxxxxxxx
Hi Steve

Thank you very much for your work and time for the detailed feedback!

I see the main point now (never using DC's also as file servers), even if
this is difficult to realize in small companies and in branch offices in
larger comanies.

We have tested the policy you mentioned (refusing NTLM and LM
authentication) in other projects and found that this doesn't work in a
Windows 2003 SP1 environment with Exchange 2003 SP2: The Mailbox Manager
process doesn't work anymore after this setting is enabled on domain
corntrollers.

Franz

"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> schrieb im
Newsbeitrag news:Or0RaB0rGHA.4240@xxxxxxxxxxxxxxxxxxxxxxx
As Mike said the best option is to not use domain controllers for file
servers but my guess is that will not fly. If they currently are using
managed switches then you might see if the switches can do mac filtering
which could be enabled and the table would only contain the mac addresses
of domain computers. Of course this will not stop a determined attacker
but it would be worth implementing and stop the average user. The user
right for access this computer from the network will not work for
computer accounts unless ipsec is being used. If the customers do not
want to make any investment in equipment and/or software then they are
pretty much stuck with what they have and that is THEIR decision in
managing risk. Their best option at that point would be to enforce a
strict computer user policy that prohibits non domain computers on the
network with stated consequences.

Having said that best practices such as keeping domain controllers
patched with critical security updates, making sure that regular users
are not in privileged domain accounts, NEVER logging onto a "not known to
be totally secure" domain computer with a domain administrator account,
disabling unneeded services on the domain controller, and using enforcing
strong passwords in the domain will go a long ways to securing a domain
controller.

If the domain controllers are Windows 2003 I would use Software
Restriction Policies creating a path rule to the folders that the users
have write access to in order to prevent any file execution from that
folder assuming none is needed. Also while this may work it should not be
considered a secure solution. If it does not cause any problem use Domain
Controller Security Policy and go to local policies/security options and
set the security option for lan manager authentication level to be send
NTLMV2 response only\refuse LM and NTLM. The reason is that may help is
most likely the user's laptop will be configured to use LM or NTLM as the
default setting. However using NTLMV2 response only\refuse LM and NTLM
can break some services such as server running remote access and maybe
Exchange so make sure to test that setting thoroughly before
implementing.

Steve


"Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx> wrote in message
news:OcuAl0urGHA.1732@xxxxxxxxxxxxxxxxxxxxxxx
Thank you both for your feedback! No it's clear to me that IPSec can't
protect ressources located on DC's.

On our customers location, employees often bring their own home
notebooks in the office, then attach them to the network and connect to
the corpoarte file ressources that are located on DC's with their domain
user accounts. The goal that the customer wants is that access to the
corporate resources is only possible for machines that are member of the
domain. Network Access Authentication with 802.1x is not an option, it
would require new Hardware.

Thought first to enable the user/machine right "access this computer
from the network" only to domain members. But when this setting is
effective on the DC's, it wouldn't be possible to install new machines
(over RIS) and joining them to the domain.

If anyone has another idea how to protect the file server ressources on
DC's from access from unauthorized machines, I would appreciate to know,
thank you all in advance!

Franz

"Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx> schrieb im
Newsbeitrag news:e5jjoyArGHA.4240@xxxxxxxxxxxxxxxxxxxxxxx
We are reserching possibilities to secure Windows 2003 Server SP1 and
Windows XP systems at a customer location with IPSec. All the domain
controllers also host other services like file and printing ressources.
Have read several papers, and whats confusing me is that according to
Microsoft, domain controllers can't be protected at all.



For example, in the Microsoft document "Interoperability Considerations
for IPsec Server and Domain Isolation", downloadable at
http://www.microsoft.com/downloads/details.aspx?FamilyId=10359569-EF11-499A-9E1F-85DA3FCA608C&displaylang=en
is the following text:



"Domain controllers: An IPsec connection between a domain controller
and a domain member is currently not supported, in part because a
client must connect to a domain controller to get a Kerberos ticket and
cannot use IPsec until after it has authenticated. (Although it is
possible to use IPsec between a domain controller and a domain member
when certificate authentication is used, doing so is also not currently
supported.)"



Is this statement still correct?

Can someone explain me why it is not possible to secure for example all
SMB traffic with IPSec between domain controllers and client systems?



Thank you all in advance for any help!

Franz










.

Relevant Pages

  • Re: authentication problem
    ... double or triple duty most traffic [authentication and AD replication] is ... laptops and I bring up ipsec as a possible solution with the caveat on ... domain controllers because many admins right away want to enable the require ... policy at the domain level which can bring their network to it's knees. ...
    (microsoft.public.win2000.security)
  • RE: authentication problem
    ... IPSec is based on the authentication of computers on a network; ... The Active Directory security domain provides this authentication using the ... are used for communication with domain controllers. ... Directory¨Cbased IPSec policy settings are typically applied to domain ...
    (microsoft.public.win2000.security)
  • Re: net use and LM / NTLM
    ... For example, two Win2k ... Windows networking authentication is used in x scenario). ... the only time domain controllers need to be configured is to ... Any machine on the network is ...
    (Focus-Microsoft)
  • Re: Mapping drives and Encryption
    ... I ran into problems when I first started testing ipsec. ... The reason is that the domain controllers are also the KDC and the computer ... made authentication impossible. ... So then I tried using a request ipsec policy ...
    (microsoft.public.windowsxp.security_admin)
  • Re: ACL login security access
    ... I am already using IPSec with Kerberos authentification on my Domain network ... Kerberos even from a Workgroup machine, just by opening a Windows Explorer ... > traffic that involves authentication and Active Directory with domain ...
    (microsoft.public.windows.server.security)