How does domain isolation with Windows 2003 IPsec happen?

  • Thread starter Thread starter Simon
  • Start date Start date
S

Simon

Guest
Hi all,

I have a question regarding implementing domain isolation with IPsec
support from Windows 2003 (or higher.)

From the examples online, you only need to join a few machines into
the domain and they are magically protected from outsider attacks and
eavesdropping. I am wondering how exactly this should be configured,
especially using a group policy distributed from the domain
controller.

How should I write this policy in the domain controller? The most
naive way is to list all the IP addresses of all the domain members in
a filter list, and apply "secure" action to this filter. My questions
is, what if a new computer joins the domain or someone left? Do I,
presumably the domain admin, need to reconfigure the filter list every
time?

Is there a better way of doing this? Or, can some one show me the
correct way of doing it?
Thanks a lot!

-Simon
 
Re: How does domain isolation with Windows 2003 IPsec happen?

The domain isolation principle is uses IPsec with Kerberos authentication.
Servers receive policies that require inbound communications to be protected
with IPsec; clients receive policies instructing them to use IPsec when
communicating to severs within whatever address range you define.

http://technet.microsoft.com/en-us/network/bb545651.aspx has links to
various resources.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
Protect Your Windows Network: http://www.amazon.com/dp/0321336437



"Simon" <xchenum@gmail.com> wrote in message
news:805add47-ad0a-4ba9-96de-d51dd18d8ab0@75g2000hso.googlegroups.com...
> Hi all,
>
> I have a question regarding implementing domain isolation with IPsec
> support from Windows 2003 (or higher.)
>
> From the examples online, you only need to join a few machines into
> the domain and they are magically protected from outsider attacks and
> eavesdropping. I am wondering how exactly this should be configured,
> especially using a group policy distributed from the domain
> controller.
>
> How should I write this policy in the domain controller? The most
> naive way is to list all the IP addresses of all the domain members in
> a filter list, and apply "secure" action to this filter. My questions
> is, what if a new computer joins the domain or someone left? Do I,
> presumably the domain admin, need to reconfigure the filter list every
> time?
>
> Is there a better way of doing this? Or, can some one show me the
> correct way of doing it?
> Thanks a lot!
>
> -Simon
 
Back
Top