Just to clarify to avoid confusion: This only applies to IPSec policies
setup ON MS systems. Two domain controllers behind a Watchguard (or any
vendor for that matter) branch office VPN will have these packets
encrypted while traveling over the VPN.

M. Dante Mercurio, CCNA, MCSE+I, CCSA
dmercurioccgsecurity.com
Consulting Group Manager
Continental Consulting Group, LLC
www.ccgsecurity.com

-----Original Message-----
From: Fred Williams [mailto:A20FBW1wpo.cso.niu.edu]
Sent: Tuesday, November 05, 2002 1:29 PM
To: focus-mssecurityfocus.com; security-basicssecurityfocus.com
Subject: was - RE: Access to well-known ports on Win2K -now [IPSec
-Default behavior]

Hello,

As long as you're discussing ipsec filters please permit this bit of
"thread drift"... Most all of you know this already but there are always
new readers or perhaps those new to Win2k ipsec policies...

According to the article:
Traffic That Can--and Cannot--Be Secured by IPSec
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q253169

All traffic from any ip port 88 is ASSUMED to be Kerberos traffic and
hence is exempt from all ipsec filters. So just by implementing a "block
all" ipsec policy, ANYONE can still port scan your computer by binding
their scanner to their local port 88 and targeting your computer.

According to this article:
IPSec Does Not Secure Kerberos Traffic Between Domain Controllers
http://support.microsoft.com/default.aspx?scid=KB;EN-US;q254728&

A registry setting was added in Win2K SP1 to support disabling this
"feature" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC
REG_DWORD: NoDefaultExempt
Value: 1

I wrote a quick VBScript to then set this key on all computers in an
Active Directory OU. If anyone is interested in the script just email me
directly. Note the ipsec policy agent needs to be restarted for the
change to take effect...this can be scripted as well... Hope someone
finds this helpful.

Thanks
Fred

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]