Solved

Client Respond Only Vs Request Security

Posted on 2009-04-12
9
395 Views
Last Modified: 2012-05-06
1- Can someone explain to me the difference between:
Client Respond Only Vs Server Request Security
They sound the same

2- if I assign the Require Security to the domain controller I can't access them using \\DCname or \\DCIPaddress.  what's the purpose of using it?

Thanks


0
Comment
Question by:jskfan
  • 5
  • 4
9 Comments
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
Client respond only will respond to encryption requests...it won't initiate them.  Communications will be encrypted if the other machine it is communicating with is set to Request or Require (secure server).  If the other machine is set to Client respond only, then communications will not be encrypted.  Additionally Client Respond only will only secure the port or socket connection it is communicating on with the server.

Server (request security), will request ipsec everytime...but not require it.

Secure server (require security), requires ipsec on all ports commuinicating unless the client is trusted.  Untrusted clients incapable of ipsec, will not be able to communicate with the server.
0
 

Author Comment

by:jskfan
Comment Utility
I have created a GPO on The Domain Controllers OU.
I set it up for All IP Traffic to Require Security.

on the computers OU (not domain controllers), I have permitted all IP Traffic to and from the domain controller. The option is just one IP address so I picked up one IP of one domain controller.

I don't know if my settings are secure or not.

what do you suggest?


0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
I usually set the servers to Server / Request...and clients to respond only...

If you want to get really tough, you set servers to Require, but that would make them unavailable to untrusted machines or machines/devices that are incapable of negotiating ipsec.  This could potentially "break" access to any number of services you are offering inside an outside your network on policy affected servers..
0
 

Author Comment

by:jskfan
Comment Utility
in our network we have DCs that are all windows 2003, we have XP and Vista machines.
I want to apply Require security for All IP trafic between domain controllers.
I am afraid if I apply Require security for computers(WXP and Vista) I will not be able to join them to the domain.

I also want to be able to access domain controllers shares by typing \\domaincontrollername from a workstation or a server whic is a member of the domain.
I am not sure how to tweak it. Because in IPsec if you apply require security for All IP traffice,it's more restrictive rule and you can't add a rule that let you browse to a DC by typing \\domaincontrollername. You won;t even be able to ping the DC even if you Permit all ICMP traffic
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:jskfan
Comment Utility
On this link :http://support.microsoft.com/kb/254949

it says "ou may want to add a rule to the IPSec policy to exempt ICMP traffic from IPSec security negotiation"

how do you do that, I added this rule and gave it permit, but could not ping the DC
0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
You might also want to exempt DNS traffic...

I would do a lot of reading before assuming the policy setup you've chosen is right for your network.
Joining machines to the network shouldn't be an issue, provided they have the ipsec key/cert or you are relying on kerberos which is not an encryptable protocol by ipsec policy.

Start here: http://technet.microsoft.com/en-us/network/bb531150.aspx
0
 

Author Comment

by:jskfan
Comment Utility
Ok..

From DC to DC you select Require security
What about from Client to DC and DC to Client?
What about from client to client?

I say client, anything WXP and Windows 2003
0
 
LVL 25

Accepted Solution

by:
Ron M earned 500 total points
Comment Utility
Have a look here.
These are supported configurations.
http://support.microsoft.com/kb/254949
0
 

Author Comment

by:jskfan
Comment Utility
Ok..

Can you show me how to use IPsec from:
DC to DC only, without preventing client (XP or Vista,) to joing the domain or browse to the DC by typing \\DCcomputername.
Server to Server.

Thanks
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now