Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Client Respond Only Vs Request Security

Posted on 2009-04-12
9
Medium Priority
?
422 Views
Last Modified: 2012-05-06
1- Can someone explain to me the difference between:
Client Respond Only Vs Server Request Security
They sound the same

2- if I assign the Require Security to the domain controller I can't access them using \\DCname or \\DCIPaddress.  what's the purpose of using it?

Thanks


0
Comment
Question by:jskfan
  • 5
  • 4
9 Comments
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24130048
Client respond only will respond to encryption requests...it won't initiate them.  Communications will be encrypted if the other machine it is communicating with is set to Request or Require (secure server).  If the other machine is set to Client respond only, then communications will not be encrypted.  Additionally Client Respond only will only secure the port or socket connection it is communicating on with the server.

Server (request security), will request ipsec everytime...but not require it.

Secure server (require security), requires ipsec on all ports commuinicating unless the client is trusted.  Untrusted clients incapable of ipsec, will not be able to communicate with the server.
0
 

Author Comment

by:jskfan
ID: 24130723
I have created a GPO on The Domain Controllers OU.
I set it up for All IP Traffic to Require Security.

on the computers OU (not domain controllers), I have permitted all IP Traffic to and from the domain controller. The option is just one IP address so I picked up one IP of one domain controller.

I don't know if my settings are secure or not.

what do you suggest?


0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24131188
I usually set the servers to Server / Request...and clients to respond only...

If you want to get really tough, you set servers to Require, but that would make them unavailable to untrusted machines or machines/devices that are incapable of negotiating ipsec.  This could potentially "break" access to any number of services you are offering inside an outside your network on policy affected servers..
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 

Author Comment

by:jskfan
ID: 24131269
in our network we have DCs that are all windows 2003, we have XP and Vista machines.
I want to apply Require security for All IP trafic between domain controllers.
I am afraid if I apply Require security for computers(WXP and Vista) I will not be able to join them to the domain.

I also want to be able to access domain controllers shares by typing \\domaincontrollername from a workstation or a server whic is a member of the domain.
I am not sure how to tweak it. Because in IPsec if you apply require security for All IP traffice,it's more restrictive rule and you can't add a rule that let you browse to a DC by typing \\domaincontrollername. You won;t even be able to ping the DC even if you Permit all ICMP traffic
0
 

Author Comment

by:jskfan
ID: 24131355
On this link :http://support.microsoft.com/kb/254949

it says "ou may want to add a rule to the IPSec policy to exempt ICMP traffic from IPSec security negotiation"

how do you do that, I added this rule and gave it permit, but could not ping the DC
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24131555
You might also want to exempt DNS traffic...

I would do a lot of reading before assuming the policy setup you've chosen is right for your network.
Joining machines to the network shouldn't be an issue, provided they have the ipsec key/cert or you are relying on kerberos which is not an encryptable protocol by ipsec policy.

Start here: http://technet.microsoft.com/en-us/network/bb531150.aspx
0
 

Author Comment

by:jskfan
ID: 24133015
Ok..

From DC to DC you select Require security
What about from Client to DC and DC to Client?
What about from client to client?

I say client, anything WXP and Windows 2003
0
 
LVL 25

Accepted Solution

by:
Ron Malmstead earned 2000 total points
ID: 24134212
Have a look here.
These are supported configurations.
http://support.microsoft.com/kb/254949
0
 

Author Comment

by:jskfan
ID: 24137160
Ok..

Can you show me how to use IPsec from:
DC to DC only, without preventing client (XP or Vista,) to joing the domain or browse to the DC by typing \\DCcomputername.
Server to Server.

Thanks
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question