Per Domain Policies - Network

This is a discussion on Per Domain Policies - Network ; I have read that IPSec policies can only be specified on a per domain basis. I have also read that they can be specified on a group or OU basis as well. Which is the case here? Thanks....

+ Reply to Thread
Results 1 to 2 of 2

Thread: Per Domain Policies

  1. Per Domain Policies

    I have read that IPSec policies can only be specified on a per domain basis.
    I have also read that they can be specified on a group or OU basis as well.
    Which is the case here?

    Thanks.


  2. Re: Per Domain Policies

    The usefulness of the scope of the policies depends on your requirements.


    Group Policy settings that you specify are contained in a Group Policy
    object, which is in turn associated with selected Active Directory
    objects--sites, domains, or organizational units. IPsec settings are
    deployed via local group policy or domain-based group policy and in that
    regard are just like any other group policy settings. .

    The question of where do you apply the group policies comes down to how you
    want to control which machines receive and use the policies. as noted,
    group policies can be scoped to just the local machine, and can also be
    deployed to various locations in a given ACtive Directory hierarchy such as
    an entire domain, a specific Site, or a given OU r set of OU's).
    Furthermore, group policies can also be controlled by adding WMI filters to
    check for specific attribiutes before applying a certain policy to a machine
    or user (say to see if a machine is WinXP or Win2003) and they can also be
    filtered to only apply to members of a specific security group.

    This scoping is further complicated by two IPsec related facts:
    1. IPsec policy settings can be based on All Traffic, Subnet(s), IP, port or
    protocols so there's big difference between an policy that says 'only do
    IPsec to one IP address" and 'Do IPsec for all IP addresses"
    2. Policyagent-based IPsec (present in Win2000 + can only have one active
    IPsec policy at a time. Group policy is applied in the order
    Local/Site/domain/OU. if I apply a group policy with IPsec at the domain,
    the site and the OU, the system getting all three policies will only show
    settings from the last policy that was processed -the OU.


    Example: Link GPO to Entire Domain
    1. I can create a single GPO called "HR Server IPsec Policy"
    2. I can link that GPO to the root of my domain called
    3. The IPsec policy settings in the GPO says: protect all IP traffic to
    HR_Server_IP of 1.1.1.1
    Result:
    1. All Clients get the GPO and the IPsec policy, but the only time IPsec
    is used is when the clients are communicating with hte server at 1.1.1.1.

    Example: Scope GPO to members of Security Group
    If I want to scope the application of the GPO in general I would do the
    following:
    1. I can create a single GPO called "HR Server IPsec Policy"
    2. I can link that GPO to the root of my domain called
    3. I can then change the security group settings to only apply to
    members of the "HR Server Access" security group
    4. In the "HR Server Access" security group, I add the HR server machine
    account and the machine accounts of any clients that need to access the HR
    server.
    Result:
    1. Only members of the security group get the GPO and the IPsec policy,
    but the only time IPsec is used is when the clients are communicating with
    hte server at 1.1.1.1.


    Example: Scope GPO to members of a particular OU
    If I want to scope the application of the GPO in general I would do the
    following:
    1. I can create a single GPO called "HR Server IPsec Policy"
    2. I can link that GPO to the OU in my domain called
    Result:
    1. Only members of the get the GPO and the IPsec policy,
    but the only time IPsec is used is when the clients are communicating with
    hte server at 1.1.1.1.


    Microsoft's guidance for deploying IPsec policies is summarized as two
    general concepts: Server Isolation and Domain Isolation.
    Server Isolation implies that you configure and deploy IPsec security
    policies to restrict and/or protect access to a particular server or set of
    servers (as I described in the above scenarios)
    Domain Isolation is a broader approach where you configure and deploy
    IPsec security policies to essentially apply, restrict and protect ALL
    traffic being exchanged between the systems with the GPO

    Here is a link to additional documentation:
    http://technet.microsoft.com/en-us/n.../bb545651.aspx

    Post back if you have any additional questions.

    Thanks,
    Jason




    "kj2n" wrote in message
    news:70259117-5220-4C9C-8EE4-EB7B3DF873E6@microsoft.com...
    >I have read that IPSec policies can only be specified on a per domain
    >basis.
    > I have also read that they can be specified on a group or OU basis as
    > well.
    > Which is the case here?
    >
    > Thanks.
    >



+ Reply to Thread