Is it possible to secure replication?

[Guest]

Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

I have this idea, you add 2 network cards to each DC. One each using it to
connect to network, and the other to connect to each other. This linkl
between them you then use for replication making it very secured. Can this
be done and how?

 

[Guest]

Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

Tinfoil hat securely fastened, Jacques Koorts pounded the keyboard to produce
> I have this idea, you add 2 network cards to each DC. One each using it to
> connect to network, and the other to connect to each other. This linkl
> between them you then use for replication making it very secured. Can this
> be done and how?
>
>
>
You could set up a tunnel between them, but you realize that replication is
*already* secured, right?

Laura
--
They that can give up essential liberty to obtain a little temporary safety
deserve neither liberty nor safety.
-- Benjamin Franklin

 

[Guest]

Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

You don't need multiple NIC's.

You can use IPsec for DC to DC security, but you need to use certs or a PSK
to do this since Kerb will have issues.




"Jacques Koorts" <jkoorts@gmail.com> wrote in message
news:10ren4v8prael4e@corp.supernews.com...
>I have this idea, you add 2 network cards to each DC. One each using it to
>connect to network, and the other to connect to each other. This linkl
>between them you then use for replication making it very secured. Can this
>be done and how?
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

then how would you do that? how would you specify to only setup tunneling
for replication and not normal ip traffic?


"Laura A. Robinson" <geekwench@snip.this.hotmail.com> wrote in message
news:MPG.1c212a22ee5617f6989701@nn.bloomberg.com...
> Tinfoil hat securely fastened, Jacques Koorts pounded the keyboard to
> produce
>> I have this idea, you add 2 network cards to each DC. One each using it
>> to
>> connect to network, and the other to connect to each other. This linkl
>> between them you then use for replication making it very secured. Can
>> this
>> be done and how?
>>
>>
>>
> You could set up a tunnel between them, but you realize that replication
> is
> *already* secured, right?
>
> Laura
> --
> They that can give up essential liberty to obtain a little temporary
> safety
> deserve neither liberty nor safety.
> -- Benjamin Franklin

 

[Guest]

Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

I dont think its that secure. What security protocols are used? What
authentication?

To have it the most secure is to have a wire (ethernet) physically running
between the 2 boxes. so you will have 2 cards in both systems...

"Laura A. Robinson" <geekwench@snip.this.hotmail.com> wrote in message
news:MPG.1c212a22ee5617f6989701@nn.bloomberg.com...
> Tinfoil hat securely fastened, Jacques Koorts pounded the keyboard to
> produce
>> I have this idea, you add 2 network cards to each DC. One each using it
>> to
>> connect to network, and the other to connect to each other. This linkl
>> between them you then use for replication making it very secured. Can
>> this
>> be done and how?
>>
>>
>>
> You could set up a tunnel between them, but you realize that replication
> is
> *already* secured, right?
>
> Laura
> --
> They that can give up essential liberty to obtain a little temporary
> safety
> deserve neither liberty nor safety.
> -- Benjamin Franklin

 

[Guest]

Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

The problem is that replication of Active Directory is far from the biggest
vulnerability or the most common target. It's more common to just attack
the domain controller either through the network card attached to the
network or by attacking a client workstation or user attached to the domain
controller. If someone wanted to sniff network traffic, they wouldn't be
sniffing the replication traffic, they would be sniffing the client
authentication requests.

Microsoft has hardening guides at www.microsoft.com/technet/security, and
for Windows 2000 there are also excellent guides at www.nsa.gov/snac and
http://securityadmin.info/faq.asp#harden These people have been securing
domain controllers in real environments for some time and know what works.
I would avoid trying to reinvent the wheel and first make sure you've gained
all you can from their documents. There are no doubt plenty of other more
important things you have not yet secured.


"Jacques Koorts" <jkoorts@gmail.com> wrote in message
news:10ren4v8prael4e@corp.supernews.com...
> I have this idea, you add 2 network cards to each DC. One each using it to
> connect to network, and the other to connect to each other. This linkl
> between them you then use for replication making it very secured. Can this
> be done and how?
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

Adding an extra NIC for this is not the way to go, as this
implies that you will be taking manual control over the
DNS records, etc.. and making sure that all proper clients
have correct distance info in their routing tables so that
they never attempt use of the "DC private" NIC.

As was pointed out, Kerberos is used for machine authentication,
the AD replication traffic is already secured, and IPsec is the
way to add further integrity and privacy on the DC to DC packet
stream without havng DNS uglies to deal with. There are also
policies that may be set the increase the packet level security
of communications, both in general and for schannel.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Jacques Koorts" <jkoorts@gmail.com> wrote in message
news:10ren4v8prael4e@corp.supernews.com...
> I have this idea, you add 2 network cards to each DC. One each using it to
> connect to network, and the other to connect to each other. This linkl
> between them you then use for replication making it very secured. Can this
> be done and how?
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

Kerberos secures replication traffic for Active Directory including AD
integreated dns zones and is very secure. You can also use Domain Security
Policy to change kerberos policies as far as ticket lifetimes if you feel
the need to secure it further at the expense of additional bandwidth and
load on the domain controllers. Installing multiple nics on domain
controllers is something to be avoided if possible anyhow as they end up
being master browsers and other configuration headaches can occur. ---
Steve

http://www.windowsitlibrary.com/Content/617/06/toc.html -- more info on
kereberos.

"Jacques Koorts" <jkoorts@gmail.com> wrote in message
news:10ren4v8prael4e@corp.supernews.com...
>I have this idea, you add 2 network cards to each DC. One each using it to
>connect to network, and the other to connect to each other. This linkl
>between them you then use for replication making it very secured. Can this
>be done and how?
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

Thanks guys, will go and read up on those links

cheers
jk

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%238TIuEb3EHA.2156@TK2MSFTNGP10.phx.gbl...
> Adding an extra NIC for this is not the way to go, as this
> implies that you will be taking manual control over the
> DNS records, etc.. and making sure that all proper clients
> have correct distance info in their routing tables so that
> they never attempt use of the "DC private" NIC.
>
> As was pointed out, Kerberos is used for machine authentication,
> the AD replication traffic is already secured, and IPsec is the
> way to add further integrity and privacy on the DC to DC packet
> stream without havng DNS uglies to deal with. There are also
> policies that may be set the increase the packet level security
> of communications, both in general and for schannel.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Jacques Koorts" <jkoorts@gmail.com> wrote in message
> news:10ren4v8prael4e@corp.supernews.com...
>> I have this idea, you add 2 network cards to each DC. One each using it
>> to
>> connect to network, and the other to connect to each other. This linkl
>> between them you then use for replication making it very secured. Can
>> this
>> be done and how?
>>
>>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

Kerberos isn't the transport: RPC is.

You secure RPC with IPsec, not with Kerberos. Some versions of RPC are
encrypted using other mechanisms in their own right (such as Exchange
Server).



"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:ROMtd.159281$V41.27654@attbi_s52...
> Kerberos secures replication traffic for Active Directory including AD
> integreated dns zones and is very secure. You can also use Domain Security
> Policy to change kerberos policies as far as ticket lifetimes if you feel
> the need to secure it further at the expense of additional bandwidth and
> load on the domain controllers. Installing multiple nics on domain
> controllers is something to be avoided if possible anyhow as they end up
> being master browsers and other configuration headaches can occur. ---
> Steve
>
> http://www.windowsitlibrary.com/Content/617/06/toc.html -- more info on
> kereberos.
>
> "Jacques Koorts" <jkoorts@gmail.com> wrote in message
> news:10ren4v8prael4e@corp.supernews.com...
>>I have this idea, you add 2 network cards to each DC. One each using it to
>>connect to network, and the other to connect to each other. This linkl
>>between them you then use for replication making it very secured. Can this
>>be done and how?
>>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

Steve,

I thought that AD replication also features some kind of encryption... At
least, Robert Deluca, a Microsoft expert, said so:

http://www.microsoft.com/technet/community/chats/trans/windowsnet/wnet_102104.mspx

--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-

"Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
news:OqDsyPk3EHA.1596@tk2msftngp13.phx.gbl...
> Kerberos isn't the transport: RPC is.
>
> You secure RPC with IPsec, not with Kerberos. Some versions of RPC are
> encrypted using other mechanisms in their own right (such as Exchange
> Server).
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

It is. I think he was correcting my terminology? --- Steve

http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbd_dns_wzwd.asp

Using Active Directory Replication
Replicating zones as part of Active Directory replication provides the
following security benefits:

a.. Active Directory replication traffic is encrypted; therefore zone
replication traffic is encrypted automatically.
b.. The Active Directory domain controllers that perform replication are
mutually authenticated, and impersonation is not possible.
c..
"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:OA0ZzQp3EHA.404@TK2MSFTNGP10.phx.gbl...
> Steve,
>
> I thought that AD replication also features some kind of encryption... At
> least, Robert Deluca, a Microsoft expert, said so:
>
> http://www.microsoft.com/technet/community/chats/trans/windowsnet/wnet_102104.mspx
>
> --
> Svyatoslav Pidgorny, MVP, MCSE
> -= F1 is the key =-
>
> "Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
> news:OqDsyPk3EHA.1596@tk2msftngp13.phx.gbl...
>> Kerberos isn't the transport: RPC is.
>>
>> You secure RPC with IPsec, not with Kerberos. Some versions of RPC are
>> encrypted using other mechanisms in their own right (such as Exchange
>> Server).
>>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

My point was that Kerb is an AuthN mechanism, not a transport mechanism.

AD uses RPC and encrypts the RPC's it uses.

To go further, you would use IPsec to protect DC to DC replication (which is
supported, except that Kerberos can't be used as the AuthN for the IPsec
rule, it has to be certs or PSK).

As we all know, RPC is not inherently secure (which is why there are custom
crypto things going on there).

If we had it to do all over again, we might have used IPsec for DC to DC
replication. There is no real good reason not to when you look at it for a
while...




"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:eN2iZpu3EHA.1452@TK2MSFTNGP11.phx.gbl...
> It is. I think he was correcting my terminology? --- Steve
>
> http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbd_dns_wzwd.asp
>
> Using Active Directory Replication
> Replicating zones as part of Active Directory replication provides the
> following security benefits:
>
> a.. Active Directory replication traffic is encrypted; therefore zone
> replication traffic is encrypted automatically.
> b.. The Active Directory domain controllers that perform replication are
> mutually authenticated, and impersonation is not possible.
> c..
> "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
> news:OA0ZzQp3EHA.404@TK2MSFTNGP10.phx.gbl...
>> Steve,
>>
>> I thought that AD replication also features some kind of encryption... At
>> least, Robert Deluca, a Microsoft expert, said so:
>>
>> http://www.microsoft.com/technet/community/chats/trans/windowsnet/wnet_102104.mspx
>>
>> --
>> Svyatoslav Pidgorny, MVP, MCSE
>> -= F1 is the key =-
>>
>> "Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
>> news:OqDsyPk3EHA.1596@tk2msftngp13.phx.gbl...
>>> Kerberos isn't the transport: RPC is.
>>>
>>> You secure RPC with IPsec, not with Kerberos. Some versions of RPC are
>>> encrypted using other mechanisms in their own right (such as Exchange
>>> Server).
>>>
>>
>>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

Yes. AD replication traffic is authenticated and encrypted. IPsec is
goodness but not as much for AD replication

"Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
news:u9xaYjV4EHA.2452@TK2MSFTNGP14.phx.gbl...
> My point was that Kerb is an AuthN mechanism, not a transport mechanism.
>
> AD uses RPC and encrypts the RPC's it uses.
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

"Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
news:u9xaYjV4EHA.2452@TK2MSFTNGP14.phx.gbl...

> If we had it to do all over again, we might have used IPsec for DC to DC
> replication.

I think you *are* doing it all over again, e.g. Longhorn.