Re: IPSec / domain isolation: confusing MS documents

Hi Steve

Thank you very much for your work and time for the detailed feedback!

I see the main point now (never using DC's also as file servers), even if
this is difficult to realize in small companies and in branch offices in
larger comanies.

We have tested the policy you mentioned (refusing NTLM and LM
authentication) in other projects and found that this doesn't work in a
Windows 2003 SP1 environment with Exchange 2003 SP2: The Mailbox Manager
process doesn't work anymore after this setting is enabled on domain


"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> schrieb im Newsbeitrag
As Mike said the best option is to not use domain controllers for file
servers but my guess is that will not fly. If they currently are using
managed switches then you might see if the switches can do mac filtering
which could be enabled and the table would only contain the mac addresses
of domain computers. Of course this will not stop a determined attacker
but it would be worth implementing and stop the average user. The user
right for access this computer from the network will not work for computer
accounts unless ipsec is being used. If the customers do not want to make
any investment in equipment and/or software then they are pretty much
stuck with what they have and that is THEIR decision in managing risk.
Their best option at that point would be to enforce a strict computer user
policy that prohibits non domain computers on the network with stated

Having said that best practices such as keeping domain controllers patched
with critical security updates, making sure that regular users are not in
privileged domain accounts, NEVER logging onto a "not known to be totally
secure" domain computer with a domain administrator account, disabling
unneeded services on the domain controller, and using enforcing strong
passwords in the domain will go a long ways to securing a domain

If the domain controllers are Windows 2003 I would use Software
Restriction Policies creating a path rule to the folders that the users
have write access to in order to prevent any file execution from that
folder assuming none is needed. Also while this may work it should not be
considered a secure solution. If it does not cause any problem use Domain
Controller Security Policy and go to local policies/security options and
set the security option for lan manager authentication level to be send
NTLMV2 response only\refuse LM and NTLM. The reason is that may help is
most likely the user's laptop will be configured to use LM or NTLM as the
default setting. However using NTLMV2 response only\refuse LM and NTLM can
break some services such as server running remote access and maybe
Exchange so make sure to test that setting thoroughly before implementing.


"Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx> wrote in message
Thank you both for your feedback! No it's clear to me that IPSec can't
protect ressources located on DC's.

On our customers location, employees often bring their own home notebooks
in the office, then attach them to the network and connect to the
corpoarte file ressources that are located on DC's with their domain user
accounts. The goal that the customer wants is that access to the
corporate resources is only possible for machines that are member of the
domain. Network Access Authentication with 802.1x is not an option, it
would require new Hardware.

Thought first to enable the user/machine right "access this computer from
the network" only to domain members. But when this setting is effective
on the DC's, it wouldn't be possible to install new machines (over RIS)
and joining them to the domain.

If anyone has another idea how to protect the file server ressources on
DC's from access from unauthorized machines, I would appreciate to know,
thank you all in advance!


"Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx> schrieb im
Newsbeitrag news:e5jjoyArGHA.4240@xxxxxxxxxxxxxxxxxxxxxxx
We are reserching possibilities to secure Windows 2003 Server SP1 and
Windows XP systems at a customer location with IPSec. All the domain
controllers also host other services like file and printing ressources.
Have read several papers, and whats confusing me is that according to
Microsoft, domain controllers can't be protected at all.

For example, in the Microsoft document "Interoperability Considerations
for IPsec Server and Domain Isolation", downloadable at
is the following text:

"Domain controllers: An IPsec connection between a domain controller and
a domain member is currently not supported, in part because a client
must connect to a domain controller to get a Kerberos ticket and cannot
use IPsec until after it has authenticated. (Although it is possible to
use IPsec between a domain controller and a domain member when
certificate authentication is used, doing so is also not currently

Is this statement still correct?

Can someone explain me why it is not possible to secure for example all
SMB traffic with IPSec between domain controllers and client systems?

Thank you all in advance for any help!