4

I was just thinking about security in AD domain environment. I have a question: how secure is communication between domains by default (without implementing IPSec etc.) For example if I download a file from one domain computer to another domain computer using SMB (assume they're both connected via hub), would anyone with a sniffer in the same subnet be able to capture this file? Is there a list of protocols which are encrypted by default in the communications between AD members?

squillman
  • 37,883
  • 12
  • 92
  • 146
ko4evneg
  • 234
  • 2
  • 10
  • There are several little mitigating tricks like SMB signing, FIPS-only mode, enforcing TLS with RDP sessions, etc., but if you just want the one big final solution to fix it all once and for all the answer is IPsec. – Ryan Ries Nov 01 '13 at 18:19
  • AFAIK, SMB signing isn't for traffic encryption, it's for secure authentication. SMB 3.0 does have real in-transit encryption however. – mfinni Nov 01 '13 at 18:26
  • 1
    @mfinni I know, I was just trying to reinforce what everyone else has already said; that the answer is IPsec, unless you want to go protocol by protocol trying to figure out how to secure them one by one. – Ryan Ries Nov 01 '13 at 18:33
  • I just wanted to find out how secure is communications by default. – ko4evneg Nov 01 '13 at 19:32

3 Answers3

5

It's generally not. Traffic between domain members is not encrypted unless the protocol itself is encrypted - like Kerberos traffic, or if you turn on encryption in SMB 3.0 and the endpoints support it - or you have implemented IPSec properly.

mfinni
  • 36,144
  • 4
  • 53
  • 86
  • So in case of SMB f.e. computer will authenticate through kerberos to get access to the file on another computer and then will download it unencrypted, so every man with sniffer sharing the same hub with both computers can get the file without any authentication, right? – ko4evneg Nov 01 '13 at 16:56
  • That is correct. If you're concerned about sniffing traffic, that is exactly why we have things like IPSec for arbitrary IP traffic, or SMB 3.0 which uses encryption if your endpoints support it. – mfinni Nov 01 '13 at 17:00
  • 1
    And what are you doing with hubs in 2013? :-) – mfinni Nov 01 '13 at 17:05
  • 1
    I just simplify example of environment to get answer exactly i wanted without walking around :) – ko4evneg Nov 01 '13 at 17:07
2

The general rule is: Nothing is encrypted unless you know for a fact the mechanism is encrypted.

Authentication traffic in AD environments (kerberos etc) is always encrypted as part of its basic functionality.

Data movement (e.g. file copy) is not. Just as data movement on the web is not unless it specifically is (ssl). Just as ftp is not unless it specifically is (sftp). Just as telnet is not unless it specifically is (ssh).

Ergo, the NSA's job is rather easy.... until 2048 bit encryption is the assumed transport (as opposed to the 'implement with effort' transport, like setting up ipsec etc.)

Jonesome Reinstate Monica
  • 5,445
  • 10
  • 56
  • 82
1

It sounds like you want to implement domain isolation with IPSec if you're that concerned about encrypting internal communication inside of your environment.

MDMarra
  • 100,734
  • 32
  • 197
  • 329