How secure is traffic between domain members?

I was just thinking about security in AD domain environment. I have a question: how secure is communication between domains by default (without implementing IPSec etc.) For example if I download a file from one domain computer to another domain computer using SMB (assume they're both connected via hub), would anyone with a sniffer in the same subnet be able to capture this file? Is there a list of protocols which are encrypted by default in the communications between AD members?


It's generally not. Traffic between domain members is not encrypted unless the protocol itself is encrypted - like Kerberos traffic, or if you turn on encryption in SMB 3.0 and the endpoints support it - or you have implemented IPSec properly.


The general rule is: Nothing is encrypted unless you know for a fact the mechanism is encrypted.

Authentication traffic in AD environments (kerberos etc) is always encrypted as part of its basic functionality.

Data movement (e.g. file copy) is not. Just as data movement on the web is not unless it specifically is (ssl). Just as ftp is not unless it specifically is (sftp). Just as telnet is not unless it specifically is (ssh).

Ergo, the NSA's job is rather easy.... until 2048 bit encryption is the assumed transport (as opposed to the 'implement with effort' transport, like setting up ipsec etc.)


It sounds like you want to implement domain isolation with IPSec if you're that concerned about encrypting internal communication inside of your environment.