Solved

Applying IPSec to Domain Controllers

Posted on 2009-05-03
11
452 Views
Last Modified: 2012-05-06
I need to secure DOmain controllers 2003 by using IPSec. I have read in the following link:
http://support.microsoft.com/kb/254728
that Kerberos and some other traffic is not securing, I wonder if this applies only to windows 2000 domain controller.
I also need to exempt RDP from windowx XP to domain controllers 2000, so that I can remote to the domain controllers.
any idea on how to configure that?

Thanks
0
Comment
Question by:jskfan
  • 6
  • 5
11 Comments
 
LVL 27

Expert Comment

by:bluntTony
ID: 24304286
The problem you have provided a link to only applies to Windows 2000.
How would you like to secure the Domain Controllers? All comms to and from the server?
The simplest way for you would be to use the pre-set 'Secure Server (Require Security)' policy. This will demand that all clients have to use the 'Client (Respond Only)' policy. This setup will make the two machines negotiate the most secure mutually agreeable level of security.
Using these two pre-set policies will keep thing simple. As long as your clients are configured properly, then you will be able to RDP into the DC while it is secured with IPSEC.
0
 

Author Comment

by:jskfan
ID: 24312734
I have configured the IPSec through GPO and linked it to the Domain Controllers OU.
If I try to create another IPsec policy for servers OU, it won't let me assign both IPSec policies, it will assign just one.
SO how do I create 2 IPSec policies , one to Domain Controllers OU and one to Servers OU?
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24317717
I see no reason why you shouldn't be able to assign to IPSEC policies to separate OUs.

Are either of these OUs child/parent of each other? Where exactly did you link your GPO? Directly to the OUs in question?

I have previously applied different IPSEC policies to separate OUs with no conflicts.
0
 

Author Comment

by:jskfan
ID: 24321420
if you create a GPO for another OU and go to computer configuration/ security settings/ IPSec....
on the right pane the IPsec policy you set up reviously will showup there, even though you are setting up a GPO to a  completeky different OU.
0
 

Author Comment

by:jskfan
ID: 24330222
bluntTony:I see no reason why you shouldn't be able to assign to IPSEC policies to separate OUs.

did you try it?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 27

Expert Comment

by:bluntTony
ID: 24333834
Yes, I have tested this. I applied the 'Secure Server' policy to the Domain Controllers OU, and the 'Client' policy to a separate OU holding some computer accounts.

It is true that you can only have one IPSEC policy at the same level (i.e. policies will not merge, one will overrule the other), but as long as one OU isn't inheriting both GPOs you should be able to do this.
0
 

Author Comment

by:jskfan
ID: 24335870
I don't know how you did it. But even if I go to another OU /Right click /properties/Group policy and select new then create a new policy /edit /windows settings/security settings /IP Security Policies on Active Directory(Mydomainame.com)
on the right pane I will still see the previous policy I have created for the Different OU.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24335935
Have you set up your own IPSEC policy? Are you saying that when you create a new GPO, the policy is listed AND it is ticked green (i.e. it's assigned)?

If it's just listed, it doesn't mean it's been assigned. You have to select the policy, and select 'Assign' for it to apply.
0
 

Author Comment

by:jskfan
ID: 24344599
I will take a llok at it later when I remote to the Network.

As of RDP I fixed it. I was unable to RDP to my DC because it's  a little bit tricky the IP filter List/Protocl.
I should have type 3389 in the From this port field To any port. Indtead I select from any port to this port 3389.
so I just swapped the settings and managed to RDP.
But the File Replication is not working either. For instance if you create a file under logon share in one DC it does not replicate to the Netlogon share in the other DC. I opened port TCP/UDP135 and TCP random port 50000 but still didn't work. I am not sure if I need to tweak a registery to make it know about the port 50000.
0
 

Author Comment

by:jskfan
ID: 24344604
sorry fir the typos
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 500 total points
ID: 24348192
I think that you'll need to open more ports than that.

I'll post a response about replication in your other post about the subject.

Tony
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now