Re: Is total domain Isolation possible?
- From: zakkuto@xxxxxxxxx
- Date: Thu, 23 Aug 2007 06:05:19 -0700
On 22 Aug., 19:10, "Steve Riley [MSFT]" <steve.ri...@xxxxxxxxxxxxx>
wrote:
When you understand how authentication works, it becomes apparent why the
domain controllers have to be exempt from your IPsec policies.
Hello Steve
Nice explanations - you should do some CBT videos when you get the
time.
One more question though:
I still dream of the total isolation of the domain scenario. As in, no
potential security risk by having the DHCP and DC servers excluded
from IPsec encryption. I know, that by enabling the firewall on the DC
and DHCP servers, they will be pretty secure by default, but they
still posses a security risk in my book. "Code Red"-like malware on un-
managed computers might infect the servers if an vulnerability exists.
Will the total isolation be possible by using pre shared keys instead
of Kerberos? DHCP can be solved by using a workgroup DHCP server.
Or is the total isolation just fiction so far on XP/2003?
Thanks for your time.
Kind regards, Soren
.
- Follow-Ups:
- Re: Is total domain Isolation possible?
- From: Steve Riley [MSFT]
- Re: Is total domain Isolation possible?
- References:
- Is total domain Isolation possible?
- From: zakkuto
- Re: Is total domain Isolation possible?
- From: Steve Riley [MSFT]
- Is total domain Isolation possible?
- Prev by Date: Re: Is total domain Isolation possible?
- Next by Date: Re: Permit only one network logon per user
- Previous by thread: Re: Is total domain Isolation possible?
- Next by thread: Re: Is total domain Isolation possible?
- Index(es):
Relevant Pages
|
|
