Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Dante Mercurio (dmercurio_at_ccgsecurity.com)
Date: Wed Nov 06 2002 - 10:17:34 CST
Just to clarify to avoid confusion: This only applies to IPSec policies
setup ON MS systems. Two domain controllers behind a Watchguard (or any
vendor for that matter) branch office VPN will have these packets
encrypted while traveling over the VPN.
M. Dante Mercurio, CCNA, MCSE+I, CCSA
Consulting Group Manager
Continental Consulting Group, LLC
From: Fred Williams [mailto:A20FBW1wpo.cso.niu.edu]
Sent: Tuesday, November 05, 2002 1:29 PM
To: focus-mssecurityfocus.com; security-basicssecurityfocus.com
Subject: was - RE: Access to well-known ports on Win2K -now [IPSec
As long as you're discussing ipsec filters please permit this bit of
"thread drift"... Most all of you know this already but there are always
new readers or perhaps those new to Win2k ipsec policies...
According to the article:
Traffic That Can--and Cannot--Be Secured by IPSec
All traffic from any ip port 88 is ASSUMED to be Kerberos traffic and
hence is exempt from all ipsec filters. So just by implementing a "block
all" ipsec policy, ANYONE can still port scan your computer by binding
their scanner to their local port 88 and targeting your computer.
According to this article:
IPSec Does Not Secure Kerberos Traffic Between Domain Controllers
A registry setting was added in Win2K SP1 to support disabling this
I wrote a quick VBScript to then set this key on all computers in an
Active Directory OU. If anyone is interested in the script just email me
directly. Note the ipsec policy agent needs to be restarted for the
change to take effect...this can be scripted as well... Hope someone
finds this helpful.