secure server policy

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

hi
I experienced a problem when I deployed default secure server ipsec policy to all my domain. Some clients didnt join after restart. We wait for very long time. We logged local machine. And edit local policy .Assigned secure server to local. And then machine restarted. Client machine logged successfull.
I want to learn that we cant apply secure server policy to all domain ?

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

what clients do you use. At what level did you set the policy (domain level,
OU level?). Are all clients part of domain?

My advice would be, turn the IPSec Policy on on servers (Require Security)
while on clients turn e.g. Request Security...

Mike

"new question" <new question@discussions.microsoft.com> wrote in message
news:448147CF-76FE-4C37-8853-F68C60F330FD@microsoft.com...
> hi
> I experienced a problem when I deployed default secure server ipsec policy
> to all my domain. Some clients didnt join after restart. We wait for very
> long time. We logged local machine. And edit local policy .Assigned
> secure server to local. And then machine restarted. Client machine logged
> successfull.
> I want to learn that we cant apply secure server policy to all domain ?

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Be very careful with ipsec policies. Ipsec policies between domain members must
exempt domain controllers based on their static IP addresses or you will
experience a lot of problems. MS does not support ipsec negotiation policy
between domain members and domain controllers because of the way machine
authentication works in ipsec. See the links below for more details. --- Steve

http://support.microsoft.com/?kbid=254949
http://tinyurl.com/3yvnl -- link to a previous thread on this topic.

From Windows 2003 Deployment Guide :
Requiring IPSec for communication between Active Directory domain members and
domain controllers might block connections
IPSec is based on the authentication of computers on a network; therefore,
before a computer can send IPSec-protected data, it must be authenticated. The
Active Directory security domain provides this authentication using the Kerberos
protocol. Accordingly, when IKE uses Kerberos to authenticate, the Kerberos
protocol and other dependent protocols (DNS, UDP LDAP and ICMP) are used for
communication with domain controllers. Additionally, Active Directory-based
IPSec policy settings are typically applied to domain members through Group
Policy. As a result, if IPSec is required from domain members to the domain
controllers, authentication traffic will be blocked and IPSec communications
will fail. In addition, no other authenticated connections can be made using
other protocols, and no IPSec other policy settings can be applied to that
domain member through Group Policy. **For these reasons, using IPSec for
communications between domain members and domain controllers is not supported**


"new question" <new question@discussions.microsoft.com> wrote in message
news:448147CF-76FE-4C37-8853-F68C60F330FD@microsoft.com...
> hi
> I experienced a problem when I deployed default secure server ipsec policy to
all my domain. Some clients didnt join after restart. We wait for very long
time. We logged local machine. And edit local policy .Assigned secure server to
local. And then machine restarted. Client machine logged successfull.
> I want to learn that we cant apply secure server policy to all domain ?

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I appled polict at domain level. And my clients are w2k3 and XP


"Miha Pihler" wrote:

> Hi,
>
> what clients do you use. At what level did you set the policy (domain level,
> OU level?). Are all clients part of domain?
>
> My advice would be, turn the IPSec Policy on on servers (Require Security)
> while on clients turn e.g. Request Security...
>
> Mike
>
> "new question" <new question@discussions.microsoft.com> wrote in message
> news:448147CF-76FE-4C37-8853-F68C60F330FD@microsoft.com...
> > hi
> > I experienced a problem when I deployed default secure server ipsec policy
> > to all my domain. Some clients didnt join after restart. We wait for very
> > long time. We logged local machine. And edit local policy .Assigned
> > secure server to local. And then machine restarted. Client machine logged
> > successfull.
> > I want to learn that we cant apply secure server policy to all domain ?
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

thaks a lot ;
What is solutions to protect authentication data client to DC .

Steven Umbach" wrote:

> Be very careful with ipsec policies. Ipsec policies between domain members must
> exempt domain controllers based on their static IP addresses or you will
> experience a lot of problems. MS does not support ipsec negotiation policy
> between domain members and domain controllers because of the way machine
> authentication works in ipsec. See the links below for more details. --- Steve
>
> http://support.microsoft.com/?kbid=254949
> http://tinyurl.com/3yvnl -- link to a previous thread on this topic.
>
> From Windows 2003 Deployment Guide :
> Requiring IPSec for communication between Active Directory domain members and
> domain controllers might block connections
> IPSec is based on the authentication of computers on a network; therefore,
> before a computer can send IPSec-protected data, it must be authenticated. The
> Active Directory security domain provides this authentication using the Kerberos
> protocol. Accordingly, when IKE uses Kerberos to authenticate, the Kerberos
> protocol and other dependent protocols (DNS, UDP LDAP and ICMP) are used for
> communication with domain controllers. Additionally, Active Directory-based
> IPSec policy settings are typically applied to domain members through Group
> Policy. As a result, if IPSec is required from domain members to the domain
> controllers, authentication traffic will be blocked and IPSec communications
> will fail. In addition, no other authenticated connections can be made using
> other protocols, and no IPSec other policy settings can be applied to that
> domain member through Group Policy. **For these reasons, using IPSec for
> communications between domain members and domain controllers is not supported**
>
>
> "new question" <new question@discussions.microsoft.com> wrote in message
> news:448147CF-76FE-4C37-8853-F68C60F330FD@microsoft.com...
> > hi
> > I experienced a problem when I deployed default secure server ipsec policy to
> all my domain. Some clients didnt join after restart. We wait for very long
> time. We logged local machine. And edit local policy .Assigned secure server to
> local. And then machine restarted. Client machine logged successfull.
> > I want to learn that we cant apply secure server policy to all domain ?
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Authentication data to DC is already protected using Kerberos protocol (by
default)... For non w2k clients or later NTLM v2 is used... (by default).
Even Windows 98 can use it (not by default)...

If you would like to have more security make sure you are not using LM
Hashes anywhere (you should be using NTLM v2)...

Mike

"new question" <newquestion@discussions.microsoft.com> wrote in message
news:FB276062-D7A1-42A0-836A-FE9C2A1DEFD4@microsoft.com...
> thaks a lot ;
> What is solutions to protect authentication data client to DC .
>
> Steven Umbach" wrote:
>
>> Be very careful with ipsec policies. Ipsec policies between domain
>> members must
>> exempt domain controllers based on their static IP addresses or you will
>> experience a lot of problems. MS does not support ipsec negotiation
>> policy
>> between domain members and domain controllers because of the way machine
>> authentication works in ipsec. See the links below for more details. ---
>> Steve
>>
>> http://support.microsoft.com/?kbid=254949
>> http://tinyurl.com/3yvnl -- link to a previous thread on this topic.
>>
>> From Windows 2003 Deployment Guide :
>> Requiring IPSec for communication between Active Directory domain members
>> and
>> domain controllers might block connections
>> IPSec is based on the authentication of computers on a network;
>> therefore,
>> before a computer can send IPSec-protected data, it must be
>> authenticated. The
>> Active Directory security domain provides this authentication using the
>> Kerberos
>> protocol. Accordingly, when IKE uses Kerberos to authenticate, the
>> Kerberos
>> protocol and other dependent protocols (DNS, UDP LDAP and ICMP) are used
>> for
>> communication with domain controllers. Additionally, Active
>> Directory-based
>> IPSec policy settings are typically applied to domain members through
>> Group
>> Policy. As a result, if IPSec is required from domain members to the
>> domain
>> controllers, authentication traffic will be blocked and IPSec
>> communications
>> will fail. In addition, no other authenticated connections can be made
>> using
>> other protocols, and no IPSec other policy settings can be applied to
>> that
>> domain member through Group Policy. **For these reasons, using IPSec for
>> communications between domain members and domain controllers is not
>> supported**
>>
>>
>> "new question" <new question@discussions.microsoft.com> wrote in message
>> news:448147CF-76FE-4C37-8853-F68C60F330FD@microsoft.com...
>> > hi
>> > I experienced a problem when I deployed default secure server ipsec
>> > policy to
>> all my domain. Some clients didnt join after restart. We wait for very
>> long
>> time. We logged local machine. And edit local policy .Assigned secure
>> server to
>> local. And then machine restarted. Client machine logged successfull.
>> > I want to learn that we cant apply secure server policy to all domain ?
>>
>>
>>