RPC replication data is natively encrypted using 128-bit encryption.
Password changes are sent using LDAP over SSL. Accompanying data is not
encrypted (DNS, CIFS/SMB session setup, etc.).
Laura
> -----Original Message-----
> From: sn0rt_y (at) hotmail (dot) com [email concealed] [mailto:sn0rt_y (at) hotmail (dot) com [email concealed]]
> Sent: Friday, March 07, 2003 10:51 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: AD replication - IP site to site encryption?
>
>
> Good day -
> There is a design being discussed of a Windows 2000 Native
> mode forest, single domain, multiple sites with one DC in
> each site. Each DC will be kept up to date on OS patches.
> Replication between DC's will be over IP without a VPN, IPSEC
> on the servers or LDAP over SSL.
>
> A question is what type, if any, encryption will be used on
> the replication traffic by default. Kerberos authentication
> will by default be used but will I be able to sniff the wire
> during replication and view say... password changes?
>
> This info will be used to present a case for using W2K IPSEC
> DC-to-DC communication, LDAP over SSL via certificates or a
> hardware VPN solution.
>
> TIA
> Sn0rt_y
>
----------------------------------------------------------------------
ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data!
It's as simple as placing additional SQL commands into a Web Form input
box giving hackers complete access to all your backend systems!
http://www.spidynamics.com/mktg/sqlinjection33
Password changes are sent using LDAP over SSL. Accompanying data is not
encrypted (DNS, CIFS/SMB session setup, etc.).
Laura
> -----Original Message-----
> From: sn0rt_y (at) hotmail (dot) com [email concealed] [mailto:sn0rt_y (at) hotmail (dot) com [email concealed]]
> Sent: Friday, March 07, 2003 10:51 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: AD replication - IP site to site encryption?
>
>
> Good day -
> There is a design being discussed of a Windows 2000 Native
> mode forest, single domain, multiple sites with one DC in
> each site. Each DC will be kept up to date on OS patches.
> Replication between DC's will be over IP without a VPN, IPSEC
> on the servers or LDAP over SSL.
>
> A question is what type, if any, encryption will be used on
> the replication traffic by default. Kerberos authentication
> will by default be used but will I be able to sniff the wire
> during replication and view say... password changes?
>
> This info will be used to present a case for using W2K IPSEC
> DC-to-DC communication, LDAP over SSL via certificates or a
> hardware VPN solution.
>
> TIA
> Sn0rt_y
>
----------------------------------------------------------------------
ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data!
It's as simple as placing additional SQL commands into a Web Form input
box giving hackers complete access to all your backend systems!
http://www.spidynamics.com/mktg/sqlinjection33
[ reply ]