4

Here's my infrastructure configuration:

  • All servers have public IP
  • I've setup a GPO to enable IPSec on everyone of them with a "require for inbound and request for outbound" rule, for all server, with the default Authentication.
  • Except for the Active Directory server which is on "request/request" because it won't work with "require/request".

My first question is: why do I have to setup the AD Server on "request/request" ? Is it because I use the default Authentication method which is based on Kerberos?

My second question is: is it really safe to go this way ? From my perception the AD is not protected at all by IPSec, so it is vulnerable, right? Is it that dangerous or not?

My third and last question: what do you guys think it's the best way to go to have a full IPSec domain isolation policy on Windows Server ? I was really happy about this technology until I found that the AD was not secured at all...

Thanks for your time!

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Nock
  • 203
  • 2
  • 12

1 Answers1

1

It's safe, and your AD is not vulnerable (though I do feel obligated to ask what, exactly, you're trying to protect it against, if for no other reason than to make you think about it - security is a process, not a product or a technology).

That's what Kerberos does, so, in fact, Active Directory isn't totally unsecured, as you seem to think. And, since you're running Server 2008, here's something on how to manually configure the encryption type for Kerberos communications. His previous entry is pretty nice too, at least as far as more in depth explanations of crypto go, and he dissects a sample Kerberos exchange. Not my idea of a fun time, but it's pretty tolerable.

(Be careful with these settings if you have any XP clients. Compatibility gets dicey with home versions, anything pre-SP3, and stronger algorithms without a hotfix that wasn't pushed out to Windows Update installed.)

I would recommend reading this Technet article as well, which explains IPSec (and a little more on Kerberos), and following that, if you still have questions... well, it's time to consult a book, of which many have been written on the topic.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • Thanks for this answer, I'll take time in few hours to read everything you gave. My concern about security is that the server running the AD has the AD/DNS ports open in the WAN and I don't have enough knowledge to know if it's a security issue or not. Any thanks again for the input and info! – Nock Aug 30 '12 at 09:14
  • @Nock that depends on what you mean by "open in the WAN." If you've got site-to-site VPNs or point-to-point links, you're fine. If by WAN, you really mean "out to the internet," then you're right to be worried. And, incidentally, [there's a Security SE site out there](http://security.stackexchange.com/) where you'll probably be able to find more in-depth answers to security questions. – HopelessN00b Aug 30 '12 at 15:22
  • Yes it's out to the internet, I thought IPSec was "enough" for everything to be safe. When the firewall of my server have "required/required" it should be safe, right ? But I can't make the "required/required" mode work for the AD, in which way it is unsafe? I'm going to post a more complete question to IT SE site, thanks for that! – Nock Aug 30 '12 at 19:21
  • @Nock if it's out to the internet, it's unsafe in general. Stronger encryption on the communication between your server and your clients doesn't do anything to alter the fact that your AD is open to anyone in the world to try to access. In theory, I could start blasting brute force attacks against your domain for user/pass combinations. I'd probably just end up locking a bunch of your users out, but... what about remote access exploits or vulnerabilities on your Domain Controller. You know for a fact it doesn't have any? Only solution I'd trust is the DC not being publicly accessible. – HopelessN00b Aug 30 '12 at 20:27
  • Is it possible to do IPSec domaain isolation with the DC being totally protected ? – Nock Aug 30 '12 at 22:54
  • @Nock It's not exactly clear what you mean by that, but sure. IPSec is just an encryption protocol. You can use it to encrypt traffic between any two computers, as long as the software on each supports IPSec. – HopelessN00b Aug 30 '12 at 23:05