Link to home
Create AccountLog in
Avatar of tommym121
tommym121Flag for Canada

asked on

Advantage and disadventage of Server and Domain Isolation

Is Server and Domain Isolation is still applicable for today.  This is the technology in 2005.  I read that Domain Isolation have one big issue, you have to expose the domain controller from isolation.  Is this correct? or what is the solution?  Can multiple VLANs to join into one single Server and Domain Isolation?
ASKER CERTIFIED SOLUTION
Avatar of Neil Russell
Neil Russell
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of tommym121

ASKER

http://programming4.us/security/584.aspx.  Below is the comment from the above link.   Is that true? If that is true, has anyone know any procedure or steps towards protecting the domain controller.
/

'This is where it starts getting more complicated. First, almost every environment has unmanaged machines that cannot be domain joined. For instance, a network printer might send logging data to a domain member, and there needs to be an exception in the IPsec filter to allow this. A further complication stems from the fact that you cannot secure all domain traffic with IPsec. The rationale is quite simple. The simplest method to implement the IPsec authentication is to use Kerberos. However, in order to use Kerberos, one must be domain joined. In order to become domain joined one must be able to connect to the domain controller (DC). In order to connect to the DC one must be able to negotiate an IPsec connection. In order to negotiate an IPsec connection one must be able to get a Kerberos ticket. In order to get a Kerberos ticket one must be domain joined. In order to … Well, you get the picture.'

This circular dependency is why Microsoft has never supported client-to-DC IPsec. The DC, the very most valuable resource in the domain, must be unprotected by IPsec and accessible to all; otherwise you will never join another system to the domain. There are isolated deployments that have deployed client-to-DC IPsec anyway. In at least a few environments they made a conscious decision not to join any more systems to the domain. In others, the decision was to use certificate-based authentication for IPsec and then build an out-of-band deployment and servicing mechanism for the certificates. Starting with Windows Vista, certain limited client-to-DC IPsec scenarios are actually supported. More about that later.'
Thanks