Offline password attacks on AS-REQ
Jeffrey Altman
jaltman2 at nyc.rr.com
Thu Jun 16 18:23:34 EDT 2005
brian.joh at comcast.net wrote:
> Tunneling sounds like the best option.
>
> We have over 500 Windows 2000 and Windows 2003 domain
> controllers (KDCs in Active Directory), that we don't want to have
> to modify or install new software on. These domain controllers
> (KDCs) do have SSL properly configured, so I suppose, we could
> tunnel the AS-REQ and AS-REP inside of SSL. I'll try this unless
> anyone knows of a better way, keeping in mind no major changes
> can be made to these Domain Controllers.
>
> Thanks!
>
I'm not sure how you would force all AS-REQ and AS-REP across an
SSL tunnel. If you are this concerned, you should probably require
IPSec when talking to your Domain controllers.
Jeffrey Altman
--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
More information about the Kerberos
mailing list