Re: IPSec / domain isolation: confusing MS documents
- From: "Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx>
- Date: Mon, 24 Jul 2006 08:48:15 +0200
Thank you both for your feedback! No it's clear to me that IPSec can't
protect ressources located on DC's.
On our customers location, employees often bring their own home notebooks in
the office, then attach them to the network and connect to the corpoarte
file ressources that are located on DC's with their domain user accounts.
The goal that the customer wants is that access to the corporate resources
is only possible for machines that are member of the domain. Network Access
Authentication with 802.1x is not an option, it would require new Hardware.
Thought first to enable the user/machine right "access this computer from
the network" only to domain members. But when this setting is effective on
the DC's, it wouldn't be possible to install new machines (over RIS) and
joining them to the domain.
If anyone has another idea how to protect the file server ressources on DC's
from access from unauthorized machines, I would appreciate to know, thank
you all in advance!
Franz
"Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx> schrieb im Newsbeitrag
news:e5jjoyArGHA.4240@xxxxxxxxxxxxxxxxxxxxxxx
We are reserching possibilities to secure Windows 2003 Server SP1 and
Windows XP systems at a customer location with IPSec. All the domain
controllers also host other services like file and printing ressources.
Have read several papers, and whats confusing me is that according to
Microsoft, domain controllers can't be protected at all.
For example, in the Microsoft document "Interoperability Considerations
for IPsec Server and Domain Isolation", downloadable at
http://www.microsoft.com/downloads/details.aspx?FamilyId=10359569-EF11-499A-9E1F-85DA3FCA608C&displaylang=en
is the following text:
"Domain controllers: An IPsec connection between a domain controller and a
domain member is currently not supported, in part because a client must
connect to a domain controller to get a Kerberos ticket and cannot use
IPsec until after it has authenticated. (Although it is possible to use
IPsec between a domain controller and a domain member when certificate
authentication is used, doing so is also not currently supported.)"
Is this statement still correct?
Can someone explain me why it is not possible to secure for example all
SMB traffic with IPSec between domain controllers and client systems?
Thank you all in advance for any help!
Franz
.
- Follow-Ups:
- Re: IPSec / domain isolation: confusing MS documents
- From: Steven L Umbach
- Re: IPSec / domain isolation: confusing MS documents
- From: Miha Pihler [MVP]
- Re: IPSec / domain isolation: confusing MS documents
- References:
- IPSec / domain isolation: confusing MS documents
- From: Franz Schenk
- IPSec / domain isolation: confusing MS documents
- Prev by Date: LAN security and Laptops
- Next by Date: Re: IPSec / domain isolation: confusing MS documents
- Previous by thread: Re: IPSec / domain isolation: confusing MS documents
- Next by thread: Re: IPSec / domain isolation: confusing MS documents
- Index(es):
Relevant Pages
|
