There is also a bunch of new documentation for IPsec (under the auspices of
Domain Isolation) for Windows Server 2003 SP1. These are available on the
download center (will be on TechCenter soon). Unfortunately, these documents
are very difficult to find - sigh. So, I'll put the direct links to them
with a short abstract below:
"Introduction to Server and Domain Isolation with Microsoft Windows"
This is the place to start if you are new to IPsec or domain isolation.
Also, at the end of the paper is a roadmap to all the other domain isolation
docs (quoted in part below).
"Domain Isolation with Microsoft Windows Explained"
This paper provides a detailed overview of domain isolation. It explains how
domain isolation protects domain member computers and the benefits of
deploying domain isolation. It also provides a brief overview of how to
deploy domain isolation. This paper is intended for IT professionals in
organizations that are investigating using the Microsoft implementation of
Internet Protocol security (IPsec) in Windows to deploy domain isolation. It
assumes that you are somewhat familiar with the Microsoft implementation of
IPsec and would like more detailed information about using that technology
to deploy domain isolation.
"Server Isolation with Microsoft Windows Explained"
This paper provides a detailed overview of server isolation. It explains how
server isolation protects isolated servers and the benefits of deploying
server isolation. It also provides a brief overview of how to deploy server
isolation. This paper is intended for IT professionals in organizations that
are investigating using the Microsoft implementation of IPsec in Windows to
deploy server isolation. It assumes that you are somewhat familiar with the
Microsoft implementation of IPsec and would like more detailed information
about using that technology to deploy server isolation.
"Domain Isolation Planning Guide for IT Managers"
Designed for enterprise IT managers who are investigating using IPsec in
Microsoft Windows to deploy domain isolation, this paper will help you and
your IT staff to gather the information required to develop a domain
isolation deployment plan and to design your IPsec policies. It includes an
overview of the deployment process, a step-by-step guide to the planning
process, and links to resources that you can use to plan and design your
deployment. It does not explain how to deploy domain isolation.
"A Guide to Domain Isolation for Security Architects"
Designed for network architects of enterprise organizations that are
investigating using IPsec in Microsoft Windows to deploy domain isolation,
this paper describes the implications of deploying domain isolation in an
enterprise environment and explains how to assess the enterprise environment
and plan domain isolation. Read this guide after you have developed a
working knowledge of domain isolation.
"Setting Up IPsec Server and Domain Isolation in a Test Lab"
This paper demonstrates how to set up IPsec domain and server isolation in a
limited test environment. It provides procedures for setting up a basic
deployment, which you can use as the basis for your own deployment. This
paper is designed for network architects who are investigating using IPsec
in Microsoft Windows to deploy server and domain isolation.
"Interoperability Considerations for IPsec Server and Domain Isolation"
This paper describes interoperability between IPsec-secured hosts running
Windows Server 2003, Windows XP with Service Pack 2 (SP2), and Windows 2000
Server with Service Pack 4 (SP4) in a domain or server isolation scenario
and hosts that cannot use IPsec, including computers running earlier
versions of Windows or non-Microsoft operating systems. It is intended for
IT professionals in organizations that are investigating using IPsec in
Microsoft Windows to deploy server and domain isolation.
In addition to these, Microsoft IT has a rather detailed and comprehensive
paper on how they deployed domain isolation - "Improving Security with
NOTE - This posting is provided "AS IS" with no warranties, and confers no
James Morey | Microsoft | Windows Server UA | Networking
Post by Steve Clark [MSFT]
Maybe the information is on www.microsoft.com already? :)
Search for "Security Guide" and the OS you want (such as 2000, 2003, XP).
Post by Duane Arnold Post by Alfredo Post by T. Sean Weintz Post by Alfredo
it could be that ethereal is
capturing the packets before IPSEC gets to block them
Yup. That is what's happening.
Wait, that can't be it, because there's also the case of the flooding
spammer trying to relay through me.
I placed his IP on the same "block" list, and yet my SMTP inlog still
shows his flood of email attempts *after* I put him on the IPSEC block
list exactly like I did with the worm above. His packets are still
getting through. This is an IPSEC issue.
Can anyone see what I have done wrong in my IPSEC policy? I am getting
overwhelmed with worms and spammers doing what amounts to a DOS attack
on my server and I would like to stop them.
You put a router a border device in front of the machine a let it block
the attacks so that the machine doesn't have to use resources in blocking
the attacks slowing the machine down in doing more productive things. You
can get a router that can set rules to block a specified IP and block it
at the border. Even If you were able to set some IPsec rule and block
things, it is still going to require that the machine use unnecessary
resources to continue to block them slowing the machine down while it's
The machine seems to be compromised and you need to focus on removing the
exploit or exploits ;-) off the machine and not try to block them with
IPsec. IPsec is just one part of the security solution and is not a stop
and ends all solution. You have to help IPsec out by doing the right
things in your security setup for the machine.
You might also want to find out how to secure or *harden* the NT based
O/S to attack. The information is out on Google or dogpile.com on the how