|
Posted by Miha Pihler [MVP] on July 24, 2006, 5:12 am
Please log in for more thread options Hi Franz,
Well in my opinion -- file resources should not be on DC in the first place.
That would solve a lot of (potential) problems... (e.g. potential virus
infection of DC with files dropped off by users).
If you have antivirus installed on your DC did you consider this:
Virus scanning recommendations for computers that are running Windows Server
2003, Windows 2000, or Windows XP
http://support.microsoft.com/kb/822158/
Especially this part:
For Windows Server 2003 and Windows 2000 domain controllers
--
Mike
Microsoft MVP - Windows Security
> Thank you both for your feedback! No it's clear to me that IPSec can't
> protect ressources located on DC's.
>
> On our customers location, employees often bring their own home notebooks
> in the office, then attach them to the network and connect to the
> corpoarte file ressources that are located on DC's with their domain user
> accounts. The goal that the customer wants is that access to the corporate
> resources is only possible for machines that are member of the domain.
> Network Access Authentication with 802.1x is not an option, it would
> require new Hardware.
>
> Thought first to enable the user/machine right "access this computer from
> the network" only to domain members. But when this setting is effective on
> the DC's, it wouldn't be possible to install new machines (over RIS) and
> joining them to the domain.
>
> If anyone has another idea how to protect the file server ressources on
> DC's from access from unauthorized machines, I would appreciate to know,
> thank you all in advance!
>
> Franz
>
>> We are reserching possibilities to secure Windows 2003 Server SP1 and
>> Windows XP systems at a customer location with IPSec. All the domain
>> controllers also host other services like file and printing ressources.
>> Have read several papers, and whats confusing me is that according to
>> Microsoft, domain controllers can't be protected at all.
>>
>>
>>
>> For example, in the Microsoft document "Interoperability Considerations
>> for IPsec Server and Domain Isolation", downloadable at
>> is the following text:
>>
>>
>>
>> "Domain controllers: An IPsec connection between a domain controller and
>> a domain member is currently not supported, in part because a client must
>> connect to a domain controller to get a Kerberos ticket and cannot use
>> IPsec until after it has authenticated. (Although it is possible to use
>> IPsec between a domain controller and a domain member when certificate
>> authentication is used, doing so is also not currently supported.)"
>>
>>
>>
>> Is this statement still correct?
>>
>> Can someone explain me why it is not possible to secure for example all
>> SMB traffic with IPSec between domain controllers and client systems?
>>
>>
>>
>> Thank you all in advance for any help!
>>
>> Franz
>>
>>
>
>
| 
XML Sitemap