| Author |
Message |
Jacques Koorts
Guest
|
 Posted:
Thu Dec 09, 2004 1:57 am Post subject:
Is it possible to secure replication? |
|
|
I have this idea, you add 2 network cards to each DC. One each using it to
connect to network, and the other to connect to each other. This linkl
between them you then use for replication making it very secured. Can this
be done and how? |
|
| Back to top |
|
 |
Laura A. Robinson
Guest
|
| Posted:
Thu Dec 09, 2004 2:12 am Post subject:
Re: Is it possible to secure replication? |
|
|
Tinfoil hat securely fastened, Jacques Koorts pounded the keyboard to produce
| Quote: | I have this idea, you add 2 network cards to each DC. One each using it to
connect to network, and the other to connect to each other. This linkl
between them you then use for replication making it very secured. Can this
be done and how?
You could set up a tunnel between them, but you realize that replication is |
*already* secured, right?
Laura
--
They that can give up essential liberty to obtain a little temporary safety
deserve neither liberty nor safety.
-- Benjamin Franklin |
|
| Back to top |
|
|
Jacques Koorts
Guest
|
| Posted:
Thu Dec 09, 2004 3:18 am Post subject:
Re: Is it possible to secure replication? |
|
|
then how would you do that? how would you specify to only setup tunneling
for replication and not normal ip traffic?
"Laura A. Robinson" <geekwench@snip.this.hotmail.com> wrote in message
news:MPG.1c212a22ee5617f6989701@nn.bloomberg.com...
| Quote: | Tinfoil hat securely fastened, Jacques Koorts pounded the keyboard to
produce
I have this idea, you add 2 network cards to each DC. One each using it
to
connect to network, and the other to connect to each other. This linkl
between them you then use for replication making it very secured. Can
this
be done and how?
You could set up a tunnel between them, but you realize that replication
is
*already* secured, right?
Laura
--
They that can give up essential liberty to obtain a little temporary
safety
deserve neither liberty nor safety.
-- Benjamin Franklin |
|
|
| Back to top |
|
|
Jacques Koorts
Guest
|
| Posted:
Thu Dec 09, 2004 3:20 am Post subject:
Re: Is it possible to secure replication? |
|
|
I dont think its that secure. What security protocols are used? What
authentication?
To have it the most secure is to have a wire (ethernet) physically running
between the 2 boxes. so you will have 2 cards in both systems...
"Laura A. Robinson" <geekwench@snip.this.hotmail.com> wrote in message
news:MPG.1c212a22ee5617f6989701@nn.bloomberg.com...
| Quote: | Tinfoil hat securely fastened, Jacques Koorts pounded the keyboard to
produce
I have this idea, you add 2 network cards to each DC. One each using it
to
connect to network, and the other to connect to each other. This linkl
between them you then use for replication making it very secured. Can
this
be done and how?
You could set up a tunnel between them, but you realize that replication
is
*already* secured, right?
Laura
--
They that can give up essential liberty to obtain a little temporary
safety
deserve neither liberty nor safety.
-- Benjamin Franklin |
|
|
| Back to top |
|
|
Steve Clark [MSFT]
Guest
|
| Posted:
Thu Dec 09, 2004 4:29 am Post subject:
Re: Is it possible to secure replication? |
|
|
You don't need multiple NIC's.
You can use IPsec for DC to DC security, but you need to use certs or a PSK
to do this since Kerb will have issues.
"Jacques Koorts" <jkoorts@gmail.com> wrote in message
news:10ren4v8prael4e@corp.supernews.com...
| Quote: | I have this idea, you add 2 network cards to each DC. One each using it to
connect to network, and the other to connect to each other. This linkl
between them you then use for replication making it very secured. Can this
be done and how?
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Thu Dec 09, 2004 6:15 am Post subject:
Re: Is it possible to secure replication? |
|
|
Kerberos secures replication traffic for Active Directory including AD
integreated dns zones and is very secure. You can also use Domain Security
Policy to change kerberos policies as far as ticket lifetimes if you feel
the need to secure it further at the expense of additional bandwidth and
load on the domain controllers. Installing multiple nics on domain
controllers is something to be avoided if possible anyhow as they end up
being master browsers and other configuration headaches can occur. ---
Steve
http://www.windowsitlibrary.com/Content/617/06/toc.html -- more info on
kereberos.
"Jacques Koorts" <jkoorts@gmail.com> wrote in message
news:10ren4v8prael4e@corp.supernews.com...
| Quote: | I have this idea, you add 2 network cards to each DC. One each using it to
connect to network, and the other to connect to each other. This linkl
between them you then use for replication making it very secured. Can this
be done and how?
|
|
|
| Back to top |
|
|
Karl Levinson, mvp
Guest
|
| Posted:
Thu Dec 09, 2004 9:17 am Post subject:
Re: Is it possible to secure replication? |
|
|
The problem is that replication of Active Directory is far from the biggest
vulnerability or the most common target. It's more common to just attack
the domain controller either through the network card attached to the
network or by attacking a client workstation or user attached to the domain
controller. If someone wanted to sniff network traffic, they wouldn't be
sniffing the replication traffic, they would be sniffing the client
authentication requests.
Microsoft has hardening guides at www.microsoft.com/technet/security, and
for Windows 2000 there are also excellent guides at www.nsa.gov/snac and
http://securityadmin.info/faq.asp#harden These people have been securing
domain controllers in real environments for some time and know what works.
I would avoid trying to reinvent the wheel and first make sure you've gained
all you can from their documents. There are no doubt plenty of other more
important things you have not yet secured.
"Jacques Koorts" <jkoorts@gmail.com> wrote in message
news:10ren4v8prael4e@corp.supernews.com...
| Quote: | I have this idea, you add 2 network cards to each DC. One each using it to
connect to network, and the other to connect to each other. This linkl
between them you then use for replication making it very secured. Can this
be done and how?
|
|
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Thu Dec 09, 2004 11:40 am Post subject:
Re: Is it possible to secure replication? |
|
|
Adding an extra NIC for this is not the way to go, as this
implies that you will be taking manual control over the
DNS records, etc.. and making sure that all proper clients
have correct distance info in their routing tables so that
they never attempt use of the "DC private" NIC.
As was pointed out, Kerberos is used for machine authentication,
the AD replication traffic is already secured, and IPsec is the
way to add further integrity and privacy on the DC to DC packet
stream without havng DNS uglies to deal with. There are also
policies that may be set the increase the packet level security
of communications, both in general and for schannel.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Jacques Koorts" <jkoorts@gmail.com> wrote in message
news:10ren4v8prael4e@corp.supernews.com...
| Quote: | I have this idea, you add 2 network cards to each DC. One each using it to
connect to network, and the other to connect to each other. This linkl
between them you then use for replication making it very secured. Can this
be done and how?
|
|
|
| Back to top |
|
|
Jacques Koorts
Guest
|
| Posted:
Thu Dec 09, 2004 7:03 pm Post subject:
Re: Is it possible to secure replication? |
|
|
Thanks guys, will go and read up on those links
cheers
jk
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%238TIuEb3EHA.2156@TK2MSFTNGP10.phx.gbl...
| Quote: | Adding an extra NIC for this is not the way to go, as this
implies that you will be taking manual control over the
DNS records, etc.. and making sure that all proper clients
have correct distance info in their routing tables so that
they never attempt use of the "DC private" NIC.
As was pointed out, Kerberos is used for machine authentication,
the AD replication traffic is already secured, and IPsec is the
way to add further integrity and privacy on the DC to DC packet
stream without havng DNS uglies to deal with. There are also
policies that may be set the increase the packet level security
of communications, both in general and for schannel.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Jacques Koorts" <jkoorts@gmail.com> wrote in message
news:10ren4v8prael4e@corp.supernews.com...
I have this idea, you add 2 network cards to each DC. One each using it
to
connect to network, and the other to connect to each other. This linkl
between them you then use for replication making it very secured. Can
this
be done and how?
|
|
|
| Back to top |
|
|
Steve Clark [MSFT]
Guest
|
| Posted:
Fri Dec 10, 2004 5:08 am Post subject:
Re: Is it possible to secure replication? |
|
|
Kerberos isn't the transport: RPC is.
You secure RPC with IPsec, not with Kerberos. Some versions of RPC are
encrypted using other mechanisms in their own right (such as Exchange
Server).
"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:ROMtd.159281$V41.27654@attbi_s52...
| Quote: | Kerberos secures replication traffic for Active Directory including AD
integreated dns zones and is very secure. You can also use Domain Security
Policy to change kerberos policies as far as ticket lifetimes if you feel
the need to secure it further at the expense of additional bandwidth and
load on the domain controllers. Installing multiple nics on domain
controllers is something to be avoided if possible anyhow as they end up
being master browsers and other configuration headaches can occur. ---
Steve
http://www.windowsitlibrary.com/Content/617/06/toc.html -- more info on
kereberos.
"Jacques Koorts" <jkoorts@gmail.com> wrote in message
news:10ren4v8prael4e@corp.supernews.com...
I have this idea, you add 2 network cards to each DC. One each using it to
connect to network, and the other to connect to each other. This linkl
between them you then use for replication making it very secured. Can this
be done and how?
|
|
|
| Back to top |
|
|
S. Pidgorny
Guest
|
| Posted:
Fri Dec 10, 2004 2:42 pm Post subject:
Re: Is it possible to secure replication? |
|
|
Steve,
I thought that AD replication also features some kind of encryption... At
least, Robert Deluca, a Microsoft expert, said so:
http://www.microsoft.com/technet/community/chats/trans/windowsnet/wnet_102104.mspx
--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
"Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
news:OqDsyPk3EHA.1596@tk2msftngp13.phx.gbl...
| Quote: | Kerberos isn't the transport: RPC is.
You secure RPC with IPsec, not with Kerberos. Some versions of RPC are
encrypted using other mechanisms in their own right (such as Exchange
Server).
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Sat Dec 11, 2004 1:03 am Post subject:
Re: Is it possible to secure replication? |
|
|
It is. I think he was correcting my terminology? --- Steve
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbd_dns_wzwd.asp
Using Active Directory Replication
Replicating zones as part of Active Directory replication provides the
following security benefits:
a.. Active Directory replication traffic is encrypted; therefore zone
replication traffic is encrypted automatically.
b.. The Active Directory domain controllers that perform replication are
mutually authenticated, and impersonation is not possible.
c..
"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:OA0ZzQp3EHA.404@TK2MSFTNGP10.phx.gbl...
| Quote: | Steve,
I thought that AD replication also features some kind of encryption... At
least, Robert Deluca, a Microsoft expert, said so:
http://www.microsoft.com/technet/community/chats/trans/windowsnet/wnet_102104.mspx
--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
"Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
news:OqDsyPk3EHA.1596@tk2msftngp13.phx.gbl...
Kerberos isn't the transport: RPC is.
You secure RPC with IPsec, not with Kerberos. Some versions of RPC are
encrypted using other mechanisms in their own right (such as Exchange
Server).
|
|
|
| Back to top |
|
|
Steve Clark [MSFT]
Guest
|
| Posted:
Tue Dec 14, 2004 3:15 am Post subject:
Re: Is it possible to secure replication? |
|
|
My point was that Kerb is an AuthN mechanism, not a transport mechanism.
AD uses RPC and encrypts the RPC's it uses.
To go further, you would use IPsec to protect DC to DC replication (which is
supported, except that Kerberos can't be used as the AuthN for the IPsec
rule, it has to be certs or PSK).
As we all know, RPC is not inherently secure (which is why there are custom
crypto things going on there).
If we had it to do all over again, we might have used IPsec for DC to DC
replication. There is no real good reason not to when you look at it for a
while...
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:eN2iZpu3EHA.1452@TK2MSFTNGP11.phx.gbl...
|
|
| Back to top |
|
|
S. Pidgorny
Guest
|
| Posted:
Tue Dec 14, 2004 5:15 pm Post subject:
Re: Is it possible to secure replication? |
|
|
Yes. AD replication traffic is authenticated and encrypted. IPsec is
goodness but not as much for AD replication :)
"Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
news:u9xaYjV4EHA.2452@TK2MSFTNGP14.phx.gbl...
| Quote: | My point was that Kerb is an AuthN mechanism, not a transport mechanism.
AD uses RPC and encrypts the RPC's it uses.
|
|
|
| Back to top |
|
|
Karl Levinson, mvp
Guest
|
| Posted:
Wed Dec 15, 2004 6:57 pm Post subject:
Re: Is it possible to secure replication? |
|
|
"Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
news:u9xaYjV4EHA.2452@TK2MSFTNGP14.phx.gbl...
| Quote: | If we had it to do all over again, we might have used IPsec for DC to DC
replication.
|
I think you *are* doing it all over again, e.g. Longhorn. |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in