Domain Isolation problems - Network

This is a discussion on Domain Isolation problems - Network ; Hi All As security threats of losing data by using portable devices increased, I’m interested of the concept of using “Domain Isolation”, so I started to implement it on a test lap wishing to get the following results :- 1- ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Domain Isolation problems

  1. Domain Isolation problems

    Hi All

    As security threats of losing data by using portable devices increased, I’m
    interested of the concept of using “Domain Isolation”, so I started to
    implement it on a test lap wishing to get the following results :-

    1- There will be two domain controllers (2003 R2 with SP2 32 bit) DC1 and
    DC2, DC1 acts as a DHCP and file server (which contains very critical data)
    and it also PDC and global catalog server.

    2- DC2 is Exchange 2003 (Enterprise Edition) and it can be left without
    IPSEC security (for allowing clients to get group policy from this server).

    3- There is an ISA 2004 (Standard Edition) and it may be used as VPN access
    server.

    4- All client computers must use Kerberos authentication.

    So configured this lab as follows

    · The IP filter list contain the following Protocols

    o LDAP (both TCP & UDP)

    o RPC

    o NETBIOS Datagram Service

    o NETBIOS Name Resolution

    o NETBIOS Session Service

    o SMB

    · From DC1 to DC2 Permit all network traffic.

    · From DC1 to all other devices on the network (Except DC2) require
    authentication with pre-shared key authentication.

    · From any client (XP SP2) device on the network to any other client (XP
    SP2). Require authentication with Kerberos authentication.

    · For ISA 2004 server, all local area network traffic require
    authentication with Kerberos authentication and pre-shared authentication for
    remote connection.

    I configured this policy with two locations, first in domain controller
    security policy and second as a group policy with client’s computers OU.

    The problem started here after I assigned this IPSEC policy, as sometimes it
    working with some machines and not working with others and after restarting
    also situation changes.

    So my question is; why this solution is not stable? And what I can do to
    make it running?

    Thanks in advance for your sincere cooperation.


    --
    Ahmed Kazem

  2. RE: Domain Isolation problems

    Hi Ahmed, I should mention that client-to-DC is not supported by Microsoft
    until one is using Vista clients with Server 2008 DCs. So...if you plan to do
    this, know that Microsoft will not be able to help much on this.

    That said, what you want to do is technically feasible. But you are going to
    have to get Netmon installed on every machine and get familiar with the
    Troubleshooting Chapter 7 of the Server & Domain Isolation Guide.

    I would reduce the complexity of your config by not using IPsec on your ISA
    VPN server to start with (unless you want L2TP/IPsec, which will work fine on
    it's own, although again to simplify for the lab, use a preshared key for
    L2TP/IPsec). Once you have the clients & DCs working, then you can work on
    the ISA policy. There is no quick answer here. I see you have many settings
    that may fail and have not described your policy in detail enough with
    respect to fallback to clear to know.

    The main problem you'd have is that IPsec would apply first on one side or
    the other. As soon as one-side enforces it (requires it) then the other side
    can't communicate to it. So to start with you have to enable fall-back to
    clear on both sides (e.g. in client & DC policy). Then later once the
    client's and the DCs

    So let's simplify, use only preshared key to start with. Your exemption of
    all traffic between DCs is good. On the DCs and the client policy, have both
    checkboxes checked in the filter action (allow unsecured with non-IPsec
    aware, and allow unsecured but always respond with IPsec).

    Consider using "all traffic" negotiate filters instead of protocol-specific
    ones, and exempt ICMP, Kerberos, and UDP LDAP only on both the client & DC
    policies. This makes it easier and avoids problems with one side proposing a
    more general filter to a side that matches a more specific filter and fails
    the negotiation. For the exemptions, make sure you pay special attention to
    the source port being Any and the fixed destination port with the right
    combination of addresses, mirrored. Confirm your filter design by using
    Netmon sniffs of the clear text traffic (without IPsec policy assigned).


    "Ahmed Kazem" wrote:

    > Hi All
    >
    > As security threats of losing data by using portable devices increased, I’m
    > interested of the concept of using “Domain Isolation”, so I started to
    > implement it on a test lap wishing to get the following results :-
    >
    > 1- There will be two domain controllers (2003 R2 with SP2 32 bit) DC1 and
    > DC2, DC1 acts as a DHCP and file server (which contains very critical data)
    > and it also PDC and global catalog server.
    >
    > 2- DC2 is Exchange 2003 (Enterprise Edition) and it can be left without
    > IPSEC security (for allowing clients to get group policy from this server).
    >
    > 3- There is an ISA 2004 (Standard Edition) and it may be used as VPN access
    > server.
    >
    > 4- All client computers must use Kerberos authentication.
    >
    > So configured this lab as follows
    >
    > · The IP filter list contain the following Protocols
    >
    > o LDAP (both TCP & UDP)
    >
    > o RPC
    >
    > o NETBIOS Datagram Service
    >
    > o NETBIOS Name Resolution
    >
    > o NETBIOS Session Service
    >
    > o SMB
    >
    > · From DC1 to DC2 Permit all network traffic.
    >
    > · From DC1 to all other devices on the network (Except DC2) require
    > authentication with pre-shared key authentication.
    >
    > · From any client (XP SP2) device on the network to any other client (XP
    > SP2). Require authentication with Kerberos authentication.
    >
    > · For ISA 2004 server, all local area network traffic require
    > authentication with Kerberos authentication and pre-shared authentication for
    > remote connection.
    >
    > I configured this policy with two locations, first in domain controller
    > security policy and second as a group policy with client’s computers OU.
    >
    > The problem started here after I assigned this IPSEC policy, as sometimes it
    > working with some machines and not working with others and after restarting
    > also situation changes.
    >
    > So my question is; why this solution is not stable? And what I can do to
    > make it running?
    >
    > Thanks in advance for your sincere cooperation.
    >
    >
    > --
    > Ahmed Kazem


+ Reply to Thread