Re: Internet restrictions part 2
From: Steven L Umbach (sumbach_at_nospam-ameritech.net)
Date: 03/13/04
- Next message: Steven L Umbach: "Re: Policy Application"
- Previous message: news_at_microsoft.com: "Policy Application"
- In reply to: Andrew Mitchell: "Re: Internet restrictions part 2"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 13 Mar 2004 15:57:41 GMT
Ipsec is very powerful, but often not used. I have suggested similar setup
to those who experience a lot of user problems such as in a school to
prevent users from trying to access each others computers. That and the
Software Restriction Polices in XP Pro can allow an admin to really lockdown
and secure the domain. I have also suggested ipsec to those who find
"unathorized" computers on the network such as an employees personal laptop,
though I think it should be communicated to employees that is not allowed
and be dealt with severely but I guess I am old fashioned. In an all W2K/XP
domain with those problems it would make sense to have an ipsec require
policy on servers and such and a client respond on domain members with
exemptions for traffic to/from domain controllers, possibly using only AH to
minimize overhead, to deny access to those servers from non domain
computers. Of course the "add workstations to the domain" user right would
need to be removed for authenticated users in the Domain Controller Security
policy so that they could not add their computers to the domain. I have
however not been able to successfully implement an require policy on domain
controllers for communications between domain members trying various
combinations of ports and just using AH. It is not supported by Microsoft
[KB 254949] for W2K or W2003 . Generally when I implement one on a test
network the computer stalls when trying to logon. --- Steve
"Andrew Mitchell" <amitchel@removecasey.vic.gov.au> wrote in message
news:Xns94AB82863856Dcasey01@207.46.248.16...
> "Steven L Umbach" <sumbach@nospam-ameritech.net> said
>
> > You would have to configure an ipsec policy for "computers" - not
> > users in an OU. Ipsec can only be applied to computers. I prefer a
> > "block all" rule and then configure rules for the exceptions as users
> > can access a lot on the internet other that ports 80/443 tcp. I start
> > with a mirrored block all rule, then add a mirrored permit all rule
> > for the lan subnet,
>
> I've actually gone a step further then that and only applied a permit rule
> for the required ports to/from the servers and administrators
workstations.
>
> All traffic between workstations is blocked. I don't see the need for
> general workstations to be able to talk to each other and this way if one
> of the workstations should be compromised or infected, the risk of the
> problem going any further is minimised.
> This took a fair bit of analysis to determine exactly which ports were
> required, but once set up it's extremely easy to maintain. Just drop the
> machine in the relevant OU and it's done.
>
> Andy.
- Next message: Steven L Umbach: "Re: Policy Application"
- Previous message: news_at_microsoft.com: "Policy Application"
- In reply to: Andrew Mitchell: "Re: Internet restrictions part 2"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
