Is total domain Isolation possible?
- From: zakkuto@xxxxxxxxx
- Date: Wed, 22 Aug 2007 06:46:38 -0700
Hello
I am trying to enhance the security on our network by implementing an
"Domain Isolation" solution by using IPsec and group policies.
The enviroment looks like this:
- Small network, only one site.
- Active Directory, 1 domain
- 15 x Windows Server 2003 SP2
- 300 x Windows XP SP2
- 3rd party network attached devices like HP JetDirect
We simply want to isolate the domain totally, as in, all clients and
servers ONLY communicates with IPsec traffic. By doing this, we should
be able to avoid the threat of malicious software introduced by 3rd
party notebooks or unmanaged computers beeing plugged into our
network.
Artickel Q254949 says: "Currently, we do not support the use of IPSec
to encrypt network traffic from a domain client or member server to a
domain controller when you apply the IPSec policies by using Group
Policy or when you use the Kerberos version 5 protocol authentication
method"
I guess that means I will have to use "Request IPsec" instead of
"Require IPsec" on my Domain Controllers, and that means I cant call
it isolated anymore in my opinion.
Is it possible to run a totally isolated domain with 2003/xp or is
this one of those things I will have to wait for Vista/Longhorn to do?
.
- Follow-Ups:
- Re: Is total domain Isolation possible?
- From: Mathieu CHATEAU
- Re: Is total domain Isolation possible?
- From: Steve Riley [MSFT]
- Re: Is total domain Isolation possible?
- Prev by Date: Re: 0x424 (WIN32: 1060) in Enterprise Root CA
- Next by Date: Re: Permit only one network logon per user
- Previous by thread: Re: 0x424 (WIN32: 1060) in Enterprise Root CA
- Next by thread: Re: Is total domain Isolation possible?
- Index(es):
Relevant Pages
|
