IPSec / domain isolation: confusing MS documents
- From: "Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx>
- Date: Thu, 20 Jul 2006 16:56:15 +0200
We are reserching possibilities to secure Windows 2003 Server SP1 and
Windows XP systems at a customer location with IPSec. All the domain
controllers also host other services like file and printing ressources. Have
read several papers, and whats confusing me is that according to Microsoft,
domain controllers can't be protected at all.
For example, in the Microsoft document "Interoperability Considerations for
IPsec Server and Domain Isolation", downloadable at
http://www.microsoft.com/downloads/details.aspx?FamilyId=10359569-EF11-499A-9E1F-85DA3FCA608C&displaylang=en
is the following text:
"Domain controllers: An IPsec connection between a domain controller and a
domain member is currently not supported, in part because a client must
connect to a domain controller to get a Kerberos ticket and cannot use IPsec
until after it has authenticated. (Although it is possible to use IPsec
between a domain controller and a domain member when certificate
authentication is used, doing so is also not currently supported.)"
Is this statement still correct?
Can someone explain me why it is not possible to secure for example all SMB
traffic with IPSec between domain controllers and client systems?
Thank you all in advance for any help!
Franz
.
- Follow-Ups:
- Re: IPSec / domain isolation: confusing MS documents
- From: Franz Schenk
- Re: IPSec / domain isolation: confusing MS documents
- From: Steven L Umbach
- Re: IPSec / domain isolation: confusing MS documents
- From: Miha Pihler [MVP]
- Re: IPSec / domain isolation: confusing MS documents
- Prev by Date: Re: What are these protection log messages?
- Next by Date: Re: IPSec / domain isolation: confusing MS documents
- Previous by thread: Re: Event ID 577 Filing Security Logs
- Next by thread: Re: IPSec / domain isolation: confusing MS documents
- Index(es):
Relevant Pages
|
