Re: IPSec / domain isolation: confusing MS documents
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 24 Jul 2006 11:43:54 -0500
As Mike said the best option is to not use domain controllers for file
servers but my guess is that will not fly. If they currently are using
managed switches then you might see if the switches can do mac filtering
which could be enabled and the table would only contain the mac addresses of
domain computers. Of course this will not stop a determined attacker but it
would be worth implementing and stop the average user. The user right for
access this computer from the network will not work for computer accounts
unless ipsec is being used. If the customers do not want to make any
investment in equipment and/or software then they are pretty much stuck with
what they have and that is THEIR decision in managing risk. Their best
option at that point would be to enforce a strict computer user policy that
prohibits non domain computers on the network with stated consequences.
Having said that best practices such as keeping domain controllers patched
with critical security updates, making sure that regular users are not in
privileged domain accounts, NEVER logging onto a "not known to be totally
secure" domain computer with a domain administrator account, disabling
unneeded services on the domain controller, and using enforcing strong
passwords in the domain will go a long ways to securing a domain controller.
If the domain controllers are Windows 2003 I would use Software Restriction
Policies creating a path rule to the folders that the users have write
access to in order to prevent any file execution from that folder assuming
none is needed. Also while this may work it should not be considered a
secure solution. If it does not cause any problem use Domain Controller
Security Policy and go to local policies/security options and set the
security option for lan manager authentication level to be send NTLMV2
response only\refuse LM and NTLM. The reason is that may help is most likely
the user's laptop will be configured to use LM or NTLM as the default
setting. However using NTLMV2 response only\refuse LM and NTLM can break
some services such as server running remote access and maybe Exchange so
make sure to test that setting thoroughly before implementing.
Steve
"Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx> wrote in message
news:OcuAl0urGHA.1732@xxxxxxxxxxxxxxxxxxxxxxx
Thank you both for your feedback! No it's clear to me that IPSec can't
protect ressources located on DC's.
On our customers location, employees often bring their own home notebooks
in the office, then attach them to the network and connect to the
corpoarte file ressources that are located on DC's with their domain user
accounts. The goal that the customer wants is that access to the corporate
resources is only possible for machines that are member of the domain.
Network Access Authentication with 802.1x is not an option, it would
require new Hardware.
Thought first to enable the user/machine right "access this computer from
the network" only to domain members. But when this setting is effective on
the DC's, it wouldn't be possible to install new machines (over RIS) and
joining them to the domain.
If anyone has another idea how to protect the file server ressources on
DC's from access from unauthorized machines, I would appreciate to know,
thank you all in advance!
Franz
"Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx> schrieb im
Newsbeitrag news:e5jjoyArGHA.4240@xxxxxxxxxxxxxxxxxxxxxxx
We are reserching possibilities to secure Windows 2003 Server SP1 and
Windows XP systems at a customer location with IPSec. All the domain
controllers also host other services like file and printing ressources.
Have read several papers, and whats confusing me is that according to
Microsoft, domain controllers can't be protected at all.
For example, in the Microsoft document "Interoperability Considerations
for IPsec Server and Domain Isolation", downloadable at
http://www.microsoft.com/downloads/details.aspx?FamilyId=10359569-EF11-499A-9E1F-85DA3FCA608C&displaylang=en
is the following text:
"Domain controllers: An IPsec connection between a domain controller and
a domain member is currently not supported, in part because a client must
connect to a domain controller to get a Kerberos ticket and cannot use
IPsec until after it has authenticated. (Although it is possible to use
IPsec between a domain controller and a domain member when certificate
authentication is used, doing so is also not currently supported.)"
Is this statement still correct?
Can someone explain me why it is not possible to secure for example all
SMB traffic with IPSec between domain controllers and client systems?
Thank you all in advance for any help!
Franz
.
- Follow-Ups:
- Re: IPSec / domain isolation: confusing MS documents
- From: Franz Schenk
- Re: IPSec / domain isolation: confusing MS documents
- References:
- IPSec / domain isolation: confusing MS documents
- From: Franz Schenk
- Re: IPSec / domain isolation: confusing MS documents
- From: Franz Schenk
- IPSec / domain isolation: confusing MS documents
- Prev by Date: Re: The system administrator has set policies to prevent this inst
- Next by Date: Re: The system administrator has set policies to prevent this inst
- Previous by thread: Re: IPSec / domain isolation: confusing MS documents
- Next by thread: Re: IPSec / domain isolation: confusing MS documents
- Index(es):
Relevant Pages
|
