Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Client Respond Only Vs Request Security

Posted on 2009-04-12
9
Medium Priority
?
417 Views
Last Modified: 2012-05-06
1- Can someone explain to me the difference between:
Client Respond Only Vs Server Request Security
They sound the same

2- if I assign the Require Security to the domain controller I can't access them using \\DCname or \\DCIPaddress.  what's the purpose of using it?

Thanks


0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24130048
Client respond only will respond to encryption requests...it won't initiate them.  Communications will be encrypted if the other machine it is communicating with is set to Request or Require (secure server).  If the other machine is set to Client respond only, then communications will not be encrypted.  Additionally Client Respond only will only secure the port or socket connection it is communicating on with the server.

Server (request security), will request ipsec everytime...but not require it.

Secure server (require security), requires ipsec on all ports commuinicating unless the client is trusted.  Untrusted clients incapable of ipsec, will not be able to communicate with the server.
0
 

Author Comment

by:jskfan
ID: 24130723
I have created a GPO on The Domain Controllers OU.
I set it up for All IP Traffic to Require Security.

on the computers OU (not domain controllers), I have permitted all IP Traffic to and from the domain controller. The option is just one IP address so I picked up one IP of one domain controller.

I don't know if my settings are secure or not.

what do you suggest?


0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24131188
I usually set the servers to Server / Request...and clients to respond only...

If you want to get really tough, you set servers to Require, but that would make them unavailable to untrusted machines or machines/devices that are incapable of negotiating ipsec.  This could potentially "break" access to any number of services you are offering inside an outside your network on policy affected servers..
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:jskfan
ID: 24131269
in our network we have DCs that are all windows 2003, we have XP and Vista machines.
I want to apply Require security for All IP trafic between domain controllers.
I am afraid if I apply Require security for computers(WXP and Vista) I will not be able to join them to the domain.

I also want to be able to access domain controllers shares by typing \\domaincontrollername from a workstation or a server whic is a member of the domain.
I am not sure how to tweak it. Because in IPsec if you apply require security for All IP traffice,it's more restrictive rule and you can't add a rule that let you browse to a DC by typing \\domaincontrollername. You won;t even be able to ping the DC even if you Permit all ICMP traffic
0
 

Author Comment

by:jskfan
ID: 24131355
On this link :http://support.microsoft.com/kb/254949

it says "ou may want to add a rule to the IPSec policy to exempt ICMP traffic from IPSec security negotiation"

how do you do that, I added this rule and gave it permit, but could not ping the DC
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24131555
You might also want to exempt DNS traffic...

I would do a lot of reading before assuming the policy setup you've chosen is right for your network.
Joining machines to the network shouldn't be an issue, provided they have the ipsec key/cert or you are relying on kerberos which is not an encryptable protocol by ipsec policy.

Start here: http://technet.microsoft.com/en-us/network/bb531150.aspx
0
 

Author Comment

by:jskfan
ID: 24133015
Ok..

From DC to DC you select Require security
What about from Client to DC and DC to Client?
What about from client to client?

I say client, anything WXP and Windows 2003
0
 
LVL 25

Accepted Solution

by:
Ron Malmstead earned 2000 total points
ID: 24134212
Have a look here.
These are supported configurations.
http://support.microsoft.com/kb/254949
0
 

Author Comment

by:jskfan
ID: 24137160
Ok..

Can you show me how to use IPsec from:
DC to DC only, without preventing client (XP or Vista,) to joing the domain or browse to the DC by typing \\DCcomputername.
Server to Server.

Thanks
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question