Solved

Client Respond Only Vs Request Security

Posted on 2009-04-12
9
406 Views
Last Modified: 2012-05-06
1- Can someone explain to me the difference between:
Client Respond Only Vs Server Request Security
They sound the same

2- if I assign the Require Security to the domain controller I can't access them using \\DCname or \\DCIPaddress.  what's the purpose of using it?

Thanks


0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24130048
Client respond only will respond to encryption requests...it won't initiate them.  Communications will be encrypted if the other machine it is communicating with is set to Request or Require (secure server).  If the other machine is set to Client respond only, then communications will not be encrypted.  Additionally Client Respond only will only secure the port or socket connection it is communicating on with the server.

Server (request security), will request ipsec everytime...but not require it.

Secure server (require security), requires ipsec on all ports commuinicating unless the client is trusted.  Untrusted clients incapable of ipsec, will not be able to communicate with the server.
0
 

Author Comment

by:jskfan
ID: 24130723
I have created a GPO on The Domain Controllers OU.
I set it up for All IP Traffic to Require Security.

on the computers OU (not domain controllers), I have permitted all IP Traffic to and from the domain controller. The option is just one IP address so I picked up one IP of one domain controller.

I don't know if my settings are secure or not.

what do you suggest?


0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24131188
I usually set the servers to Server / Request...and clients to respond only...

If you want to get really tough, you set servers to Require, but that would make them unavailable to untrusted machines or machines/devices that are incapable of negotiating ipsec.  This could potentially "break" access to any number of services you are offering inside an outside your network on policy affected servers..
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 

Author Comment

by:jskfan
ID: 24131269
in our network we have DCs that are all windows 2003, we have XP and Vista machines.
I want to apply Require security for All IP trafic between domain controllers.
I am afraid if I apply Require security for computers(WXP and Vista) I will not be able to join them to the domain.

I also want to be able to access domain controllers shares by typing \\domaincontrollername from a workstation or a server whic is a member of the domain.
I am not sure how to tweak it. Because in IPsec if you apply require security for All IP traffice,it's more restrictive rule and you can't add a rule that let you browse to a DC by typing \\domaincontrollername. You won;t even be able to ping the DC even if you Permit all ICMP traffic
0
 

Author Comment

by:jskfan
ID: 24131355
On this link :http://support.microsoft.com/kb/254949

it says "ou may want to add a rule to the IPSec policy to exempt ICMP traffic from IPSec security negotiation"

how do you do that, I added this rule and gave it permit, but could not ping the DC
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24131555
You might also want to exempt DNS traffic...

I would do a lot of reading before assuming the policy setup you've chosen is right for your network.
Joining machines to the network shouldn't be an issue, provided they have the ipsec key/cert or you are relying on kerberos which is not an encryptable protocol by ipsec policy.

Start here: http://technet.microsoft.com/en-us/network/bb531150.aspx
0
 

Author Comment

by:jskfan
ID: 24133015
Ok..

From DC to DC you select Require security
What about from Client to DC and DC to Client?
What about from client to client?

I say client, anything WXP and Windows 2003
0
 
LVL 25

Accepted Solution

by:
Ron Malmstead earned 500 total points
ID: 24134212
Have a look here.
These are supported configurations.
http://support.microsoft.com/kb/254949
0
 

Author Comment

by:jskfan
ID: 24137160
Ok..

Can you show me how to use IPsec from:
DC to DC only, without preventing client (XP or Vista,) to joing the domain or browse to the DC by typing \\DCcomputername.
Server to Server.

Thanks
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Here's a look at newsworthy articles and community happenings during the last month.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question