Re: Is total domain Isolation possible?

Thanks. Not sure if you know, but conferences are my beat. I speak at about 10 of our TechEds every year around the world, plus both the spring and fall Windows Connections and TechMentor events. So much fun!

The beauty of Kerberos-authenticated IPsec for domain isolation is that that's where the "domain requirement" comes from. Kerberos authentication works only if you're domain-joined. And the only way to get the policy is to join the domain. If you introduce non-Kerberos authentication methods, then it's possible for non-domain clients to participate if they know the preshared key (or possess a correct digital certificate, yet another authentication choice).

So I guess it depends on which risk you perceive to be greater: unauthorized machines circumventing your isolation policy or attacks against domain controllers. In our experience with customers, domain controller attacks haven't been a problem. The biggest worry about domain controllers is physical security anyway.

--
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


<zakkuto@xxxxxxxxx> wrote in message news:1187874319.790974.126000@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On 22 Aug., 19:10, "Steve Riley [MSFT]" <steve.ri...@xxxxxxxxxxxxx>
wrote:

When you understand how authentication works, it becomes apparent why the
domain controllers have to be exempt from your IPsec policies.

Hello Steve

Nice explanations - you should do some CBT videos when you get the
time.

One more question though:

I still dream of the total isolation of the domain scenario. As in, no
potential security risk by having the DHCP and DC servers excluded
from IPsec encryption. I know, that by enabling the firewall on the DC
and DHCP servers, they will be pretty secure by default, but they
still posses a security risk in my book. "Code Red"-like malware on un-
managed computers might infect the servers if an vulnerability exists.

Will the total isolation be possible by using pre shared keys instead
of Kerberos? DHCP can be solved by using a workgroup DHCP server.

Or is the total isolation just fiction so far on XP/2003?

Thanks for your time.

Kind regards, Soren

.