|
Posted by zakkuto on August 22, 2007, 9:46 am
Please log in for more thread options
Hello
I am trying to enhance the security on our network by implementing an
"Domain Isolation" solution by using IPsec and group policies.
The enviroment looks like this:
- Small network, only one site.
- Active Directory, 1 domain
- 15 x Windows Server 2003 SP2
- 300 x Windows XP SP2
- 3rd party network attached devices like HP JetDirect
We simply want to isolate the domain totally, as in, all clients and
servers ONLY communicates with IPsec traffic. By doing this, we should
be able to avoid the threat of malicious software introduced by 3rd
party notebooks or unmanaged computers beeing plugged into our
network.
Artickel Q254949 says: "Currently, we do not support the use of IPSec
to encrypt network traffic from a domain client or member server to a
domain controller when you apply the IPSec policies by using Group
Policy or when you use the Kerberos version 5 protocol authentication
method"
I guess that means I will have to use "Request IPsec" instead of
"Require IPsec" on my Domain Controllers, and that means I cant call
it isolated anymore in my opinion.
Is it possible to run a totally isolated domain with 2003/xp or is
this one of those things I will have to wait for Vista/Longhorn to do?
|
|
Posted by Steve Riley [MSFT] on August 22, 2007, 1:10 pm
Please log in for more thread options
When you understand how authentication works, it becomes apparent why the
domain controllers have to be exempt from your IPsec policies.
1. Alice powers up her computer, which is joined to the domain.
2. Alice's computer logs onto the domain (using the computer account, of
course).
3. Upon successful authentication, Alice's computer receives the Kerberos
ticket.
4. Alice herself then logs on.
5. Alice wants to get to some resource on a server in the domain; this
server has the domain isolation IPsec policy.
6. Alice's computer establishes an IPsec security association with that
resource, using Kerberos for mutual authentication.
7. Alice accesses the resource.
The IPsec policies require Kerberos as the authenticator for all security
associations. This, of course, requires that all computers possess the
necessary Kerberos tickets. Where do they get these tickets from? The domain
controller, after successful logon. So now you can see that if your domain
controllers also required Kerberos-authenticated IPsec, then member
computers would never even be able to log on! Chicken, meet egg.
Another way to think about it is this. Whenever a security principal (that's
you, your computer, or some service) wants to authenticate, the conversation
with the authentication server (that's the domain controller) is
UNAUTHENTICATED. The purpose of the conversation is to assert and prove your
identity, then receive something that allows you to show to others that you
are authenticated. It's like this:
1. I say: "Hello, I'm Steve" (or "I'm Steve's computer" or "I'm Steve's
process").
2. Authentication server says: "Prove it. Here's a chunk of random data. Do
something that'll let me validate your identity."
3. I say: "Here's your chunk of data, encrypted with my password hash."
4. Authentication server decrypts chunk it received from me, because it also
has access to my password hash.
5. Authentication server says: "OK, I believe you. Here's a ticket that
authorizes you to access some resources."
I've described, at a high level, how the authentication sequence in Windows
works. Now that I have the ticket, I can present that to other resources and
bypass the "prove it" step of authentication--because both the resource and
I trust the authentication server. So while all my communications with
resources are authenticated, my initial communication with the
authentication server was UNAUTHENTICATED. It's through that communication
process that I become authenticated. If the authentication server itself
required previously-authenticated communications, then no one would get
anywhere!
--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com
> Hello
>
> I am trying to enhance the security on our network by implementing an
> "Domain Isolation" solution by using IPsec and group policies.
>
> The enviroment looks like this:
> - Small network, only one site.
> - Active Directory, 1 domain
> - 15 x Windows Server 2003 SP2
> - 300 x Windows XP SP2
> - 3rd party network attached devices like HP JetDirect
>
> We simply want to isolate the domain totally, as in, all clients and
> servers ONLY communicates with IPsec traffic. By doing this, we should
> be able to avoid the threat of malicious software introduced by 3rd
> party notebooks or unmanaged computers beeing plugged into our
> network.
>
> Artickel Q254949 says: "Currently, we do not support the use of IPSec
> to encrypt network traffic from a domain client or member server to a
> domain controller when you apply the IPSec policies by using Group
> Policy or when you use the Kerberos version 5 protocol authentication
> method"
>
> I guess that means I will have to use "Request IPsec" instead of
> "Require IPsec" on my Domain Controllers, and that means I cant call
> it isolated anymore in my opinion.
>
> Is it possible to run a totally isolated domain with 2003/xp or is
> this one of those things I will have to wait for Vista/Longhorn to do?
>
|
|
Posted by zakkuto on August 23, 2007, 9:05 am
Please log in for more thread options wrote:
> When you understand how authentication works, it becomes apparent why the
> domain controllers have to be exempt from your IPsec policies.
Hello Steve
Nice explanations - you should do some CBT videos when you get the
time.
One more question though:
I still dream of the total isolation of the domain scenario. As in, no
potential security risk by having the DHCP and DC servers excluded
from IPsec encryption. I know, that by enabling the firewall on the DC
and DHCP servers, they will be pretty secure by default, but they
still posses a security risk in my book. "Code Red"-like malware on un-
managed computers might infect the servers if an vulnerability exists.
Will the total isolation be possible by using pre shared keys instead
of Kerberos? DHCP can be solved by using a workgroup DHCP server.
Or is the total isolation just fiction so far on XP/2003?
Thanks for your time.
Kind regards, Soren
|
|
Posted by Steve Riley [MSFT] on August 23, 2007, 3:36 pm
Please log in for more thread options Thanks. Not sure if you know, but conferences are my beat. I speak at about
10 of our TechEds every year around the world, plus both the spring and fall
Windows Connections and TechMentor events. So much fun!
The beauty of Kerberos-authenticated IPsec for domain isolation is that
that's where the "domain requirement" comes from. Kerberos authentication
works only if you're domain-joined. And the only way to get the policy is to
join the domain. If you introduce non-Kerberos authentication methods, then
it's possible for non-domain clients to participate if they know the
preshared key (or possess a correct digital certificate, yet another
authentication choice).
So I guess it depends on which risk you perceive to be greater: unauthorized
machines circumventing your isolation policy or attacks against domain
controllers. In our experience with customers, domain controller attacks
haven't been a problem. The biggest worry about domain controllers is
physical security anyway.
--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com
> wrote:
>
>> When you understand how authentication works, it becomes apparent why the
>> domain controllers have to be exempt from your IPsec policies.
>
> Hello Steve
>
> Nice explanations - you should do some CBT videos when you get the
> time.
>
> One more question though:
>
> I still dream of the total isolation of the domain scenario. As in, no
> potential security risk by having the DHCP and DC servers excluded
> from IPsec encryption. I know, that by enabling the firewall on the DC
> and DHCP servers, they will be pretty secure by default, but they
> still posses a security risk in my book. "Code Red"-like malware on un-
> managed computers might infect the servers if an vulnerability exists.
>
> Will the total isolation be possible by using pre shared keys instead
> of Kerberos? DHCP can be solved by using a workgroup DHCP server.
>
> Or is the total isolation just fiction so far on XP/2003?
>
> Thanks for your time.
>
> Kind regards, Soren
>
|
|
Posted by Mathieu CHATEAU on August 22, 2007, 1:15 pm
Please log in for more thread options Hello,
you can enforce ipsec to isolate your network..but for dc, they must also
accept unencrypted traffic so new computer can join the domain (else how to
join the ipsec network without ipsec?).
DHCP server can't enforce ipsec too.
Your printer server will have to be able to connect to non ipsec devices
(printers), you may add an exclusion on the printer's IP range.
You may not encrypt the traffic, as that need cpu resource.
As always, the key to success is to prepare the JOB:
1/Test on lab
2/Test on lab
3/Deploy smoothly and IT computers first
4/Add ipsec debug procedure to your knowlede
Another easy way is to use the XP firewall. Do not forget that laptop may
have to be able to communicate without ipsec (like a home user with it's
adsl)
XP Firewall + windows defender is a good defense level too.
--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
> Hello
>
> I am trying to enhance the security on our network by implementing an
> "Domain Isolation" solution by using IPsec and group policies.
>
> The enviroment looks like this:
> - Small network, only one site.
> - Active Directory, 1 domain
> - 15 x Windows Server 2003 SP2
> - 300 x Windows XP SP2
> - 3rd party network attached devices like HP JetDirect
>
> We simply want to isolate the domain totally, as in, all clients and
> servers ONLY communicates with IPsec traffic. By doing this, we should
> be able to avoid the threat of malicious software introduced by 3rd
> party notebooks or unmanaged computers beeing plugged into our
> network.
>
> Artickel Q254949 says: "Currently, we do not support the use of IPSec
> to encrypt network traffic from a domain client or member server to a
> domain controller when you apply the IPSec policies by using Group
> Policy or when you use the Kerberos version 5 protocol authentication
> method"
>
> I guess that means I will have to use "Request IPsec" instead of
> "Require IPsec" on my Domain Controllers, and that means I cant call
> it isolated anymore in my opinion.
>
> Is it possible to run a totally isolated domain with 2003/xp or is
> this one of those things I will have to wait for Vista/Longhorn to do?
>
|
| Similar Threads | Posted | | Domain Isolation and Switches | March 28, 2008, 11:16 am |
| IPSec / domain isolation: confusing MS documents | July 20, 2006, 10:56 am |
| On the 15th Day of The Israeli Aggression : A total of 958 deaths since the beginning of the war....281244 | August 7, 2006, 3:30 pm |
| On the 15th Day of The Israeli Aggression : A total of 958 deaths since the beginning of the war....786404 | August 8, 2006, 1:20 pm |
| Allowing a Domain User Admin Rights to a Couple of Domain Servers | June 29, 2005, 8:13 pm |
| Windows 2003 - Child domain cannot request certificate from root domain | January 11, 2008, 11:41 am |
| Adding another domain users to your local domain admin group | December 28, 2005, 12:19 pm |
| domain access control for local user of domain computer? | April 3, 2008, 5:14 pm |
| Cannot manage Entreprise CA that is in parent domain from child domain | May 7, 2008, 4:03 am |
| ENTERPRISE DOMAIN CONTROLLERS Vs Domain Group Domain Controllers | December 30, 2005, 3:08 am |
|
XML Sitemap