Wednesday, 9 January 2008

More investigation needed...

Investigations into Active Directory Replication Using RPC
Just a quickie...

I have been running Windows 2003 AD and GC (Global Replication) traffic through protocol analysers. The results so far:

  1. General replication data is not encrypted. Though the data looks scrambled in a protocol analyser, it is just compressed.
  2. Password data is poorly encrypted. It seems to be using a 56bit RC4 key (and it is possible that it is only 40bit).
  3. Site replication send sensitive user data in the clear (compressed).
  4. Statistical data paterns clearly show the data to not be encrypted. There are clear distributions that match the original data distributions.
  5. This includes SYSVOL data.
All the more reason for IPSec Tunnels between DC's.

More to follow...

No comments: