Re: Is total domain Isolation possible?

When you understand how authentication works, it becomes apparent why the domain controllers have to be exempt from your IPsec policies.

1. Alice powers up her computer, which is joined to the domain.
2. Alice's computer logs onto the domain (using the computer account, of course).
3. Upon successful authentication, Alice's computer receives the Kerberos ticket.
4. Alice herself then logs on.
5. Alice wants to get to some resource on a server in the domain; this server has the domain isolation IPsec policy.
6. Alice's computer establishes an IPsec security association with that resource, using Kerberos for mutual authentication.
7. Alice accesses the resource.

The IPsec policies require Kerberos as the authenticator for all security associations. This, of course, requires that all computers possess the necessary Kerberos tickets. Where do they get these tickets from? The domain controller, after successful logon. So now you can see that if your domain controllers also required Kerberos-authenticated IPsec, then member computers would never even be able to log on! Chicken, meet egg.

Another way to think about it is this. Whenever a security principal (that's you, your computer, or some service) wants to authenticate, the conversation with the authentication server (that's the domain controller) is UNAUTHENTICATED. The purpose of the conversation is to assert and prove your identity, then receive something that allows you to show to others that you are authenticated. It's like this:

1. I say: "Hello, I'm Steve" (or "I'm Steve's computer" or "I'm Steve's process").
2. Authentication server says: "Prove it. Here's a chunk of random data. Do something that'll let me validate your identity."
3. I say: "Here's your chunk of data, encrypted with my password hash."
4. Authentication server decrypts chunk it received from me, because it also has access to my password hash.
5. Authentication server says: "OK, I believe you. Here's a ticket that authorizes you to access some resources."

I've described, at a high level, how the authentication sequence in Windows works. Now that I have the ticket, I can present that to other resources and bypass the "prove it" step of authentication--because both the resource and I trust the authentication server. So while all my communications with resources are authenticated, my initial communication with the authentication server was UNAUTHENTICATED. It's through that communication process that I become authenticated. If the authentication server itself required previously-authenticated communications, then no one would get anywhere!

--
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


<zakkuto@xxxxxxxxx> wrote in message news:1187790398.800138.293790@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello

I am trying to enhance the security on our network by implementing an
"Domain Isolation" solution by using IPsec and group policies.

The enviroment looks like this:
- Small network, only one site.
- Active Directory, 1 domain
- 15 x Windows Server 2003 SP2
- 300 x Windows XP SP2
- 3rd party network attached devices like HP JetDirect

We simply want to isolate the domain totally, as in, all clients and
servers ONLY communicates with IPsec traffic. By doing this, we should
be able to avoid the threat of malicious software introduced by 3rd
party notebooks or unmanaged computers beeing plugged into our
network.

Artickel Q254949 says: "Currently, we do not support the use of IPSec
to encrypt network traffic from a domain client or member server to a
domain controller when you apply the IPSec policies by using Group
Policy or when you use the Kerberos version 5 protocol authentication
method"

I guess that means I will have to use "Request IPsec" instead of
"Require IPsec" on my Domain Controllers, and that means I cant call
it isolated anymore in my opinion.

Is it possible to run a totally isolated domain with 2003/xp or is
this one of those things I will have to wait for Vista/Longhorn to do?

.

Relevant Pages

  • Re: authentication problem
    ... double or triple duty most traffic [authentication and AD replication] is ... laptops and I bring up ipsec as a possible solution with the caveat on ... domain controllers because many admins right away want to enable the require ... policy at the domain level which can bring their network to it's knees. ...
    (microsoft.public.win2000.security)
  • RE: authentication problem
    ... IPSec is based on the authentication of computers on a network; ... The Active Directory security domain provides this authentication using the ... are used for communication with domain controllers. ... Directory¨Cbased IPSec policy settings are typically applied to domain ...
    (microsoft.public.win2000.security)
  • Re: Mapping drives and Encryption
    ... I ran into problems when I first started testing ipsec. ... The reason is that the domain controllers are also the KDC and the computer ... made authentication impossible. ... So then I tried using a request ipsec policy ...
    (microsoft.public.windowsxp.security_admin)
  • Re: MSFT Bans insecure hashes - was"Passwords with Lan Manager (LM) under Windows"
    ... After I pointed out that "IPsec based auth" is not a basic netlogon ... authentication protocol like Kerberos, LM, NTLM and NTLMv2, you said I was ... based auth" to authenticate the request as opposed to LM, NTLM, or NTLMv2. ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
    (Pen-Test)
  • Re: IPSec / domain isolation: confusing MS documents
    ... simply not possible using ipsec and that is their choice. ... network with stated consequences. ... If the domain controllers are Windows 2003 I would use Software ... set the security option for lan manager authentication level to be send ...
    (microsoft.public.windows.server.security)