IPSec Policies Windows 2003
IPSec Security Policies are rules and filters that provide a specified level of security. You can create your own policies, but Windows provides three built-in ones:
Client (Respond Only). The client will use IPSec if requested but won’t initiate an IPSec session. In other words it will only use IPSec when asked to by the other machine (server).
Server (Request Security). Clients and Servers will communicate using IPSec if the machines support it. However if the machine doesn’t support it communication can take place unencrypted.
Secure Server (Require Server). Clients and Servers must use IPSec. If a machine doesn’t use IPSec then it will not be able to communicate with other machines.
Use the buttons below to navigate through the lesson
To create a new IPSec policy the IPSec Policy Management console is used. Click on Start. Select Run. In the Open dialog box type in “MMC”. Click OK to continue.
The Microsoft Management Console will appear. Click on File. Select Add/Remove Snap-in from the menu. Click on Add to select a new Snap-in. Scroll down the list of Snap-ins to find the IPSec management console. Highlight IP Security Policy Management, Click on Add to add the selected Snap-in.
The Snap-in can be used to administer IPSec policies for a local computer or for an entire domain. Click on Finish to administer the local machine. Click on Close to close the Standalone Snap-in box. Click OK to continue.
The IPSec Policies console will appear in the MMC. Select IP Security Policies on Local Machine to view the default policies. The three default policies appear along with a description and whether or not the policy has been assigned. Right-click on the Client (Respond Only) policy to view its properties. Select Properties. An IPSec policy contains a rule or set of rules, these rules contain a filter and a filter rule.
A filter states what machines to enable IPSec communication for, e.g. 10.1.0.1 to 10.1.0.2. The Filter rule says what rule should be applied to the filter, e.g. Require Security. The Default Response Rule is to enable IPSec but only use it if the server requests it. Click on Edit to view the properties of the Rule. The Security methods box lists the different security methods that can be used when negotiating security levels for communication. This list is in order of preference. When The Session key Perfect Forward Secrecy box is selected session keys or keying material will not be re-used, providing a higher level of security.
The Authentication Methods page displays the list of authentication methods to be used for validating computer identities. This list is descending order of preference. The different methods are Kerberos, Certificate or Pre-shared keys.
Select the General Tab to view the General Properties page. The general page displays the name and description for the policy. The Check for policy changes box specifies how often Active Directory will be checked for any changes to this policy. This only works if this policy has been configured for a domain computer. Click on Settings to view Key Exchange settings. From the Key Exchange Settings page, settings for security keys can be configured. If The Master key Perfect Forward secrecy box is selected then no previously-used keying material or keys are re-used to generate additional keys. The minutes and sessions box can be used to configure how often the policy requires generation of new keys, either after a certain amount of time (480 minutes by default) or a certain number of sessions. Select the Methods box to view a list of security methods that will be used to protect the key exchange. The Security methods box shows the different security settings to be used to protect identities during authentication and key exchange. This list is in order of preference with the highest level of security being at the top. These settings should normally be left as the default.
The rules will differ somewhat for the Secure Server policy. Right-click on Secure Server to view its properties. Select Properties. There are now three rules. All IP Traffic with Require Security means all IP traffic must use IPSec. ICMP traffic (ping, etc) are permitted, and the default response rule from before. Click on Edit to view the All IP Traffic rule. The IP Filter Lists shows which Filter this rule will use. Filters can be added here by selecting Add. The filter can also be modified by selecting Edit. A description of the filter is displayed. Different address ranges can be added or edited from here. Click OK to continue. The Filter Action page specified what action to take on the filter, in this example Require Security is enabled for all IP Traffic. Additional rules can be created or edited from here.
The authentication methods box specifies how the computers should authenticate with each other. Additional methods can be added using the Add button. The security methods will be used in descending order.
The Tunnel Setting box can be used to configure IPSec for tunnelling mode. A tunnel is an encrypted tunnel passing through other networks. Tunnelling is normally used with remote access. The tunnel endpoint specifies which computer is closest to the tunnel endpoint.
The Connection Type page displays which types of network connections this Rule is for, e.g. A LAN or a Remote Access connection. Click on OK to close the properties box.
Creating a New IPSec Policy
In this network, a secure connection is required between 10.1.0.2 and 10.1.0.1. All other computers must remain unaffected and they mustn’t be able to intercept traffic between 10.1.0.2 and 10.1.0.1. A filter must be created from 10.1.0.2 to 10.1.0.1, and the require security rule will be applied to it. The policy will need to be applied to both 10.1.0.1 and 10.1.0.2.
To create a new filter, open the IP Security policies management console and right-click on IP Security Policies. Select Manage IP filter lists and filter actions. The default filters are displayed. A filter is required for just two machines; 10.1.0.1 and 10.1.0.2. Click on Add to create a new Filter. Type in a name and description for the new filter into the relevant boxes. Click on Add to create a new filter. The IP Filter Wizard will appear. Click on Next to continue. Ensure Mirrored is selected to create the filter both ways and click on Next to continue. The Source address will be this machine. Click on Next to continue. The Destination address will be the server (10.1.0.1). Select the Destination address box to view the available choices. Select A specific IP Address. Type the IP address into the IP Address box. Click Next to continue.
All protocols will be required to use IPSec so the default of Any can be accepted. Click on Next to continue. Click Finish to close the IP Filter Wizard.
The filter has now been created. Click on OK to continue. The new filter appears in the IP Filter Lists table. Click on Manage Filter Actions to view the different actions available. The default three actions appear. To view the properties of the highlighted filter click on Edit. The rule specifies that all traffic is permitted. Click on General to view the general properties. The name and description for the filter action is displayed. Click on OK to close the properties box. Now that the filter has been created, an IPSec policy will need to be created using the filter.
Right-click on IP Security Policies. Select Create IP Security Policy. The IP Security Policy Wizard will appear. Click on Next to continue. Type in a name and description for the new policy into the relevant boxes. Click Next to continue. In this case we don’t want to use the default response rule. Deselect the Activate the default response rule box. Click Next to continue. Click on Finish to close the IP Security Policy Wizard and open up the properties page.
Click on Add to add a new rule to the policy. The Security Rule Wizard will appear. Click on Next to continue. The Tunnel Endpoint page will appear. Click on Next to accept the default. This rule will be used to filter all traffic between 10.1.0.1 and 10.1.0.2. Click on Next to continue.
Select the AccountsComp IP Filter from before. Click Next to continue. A list of Filter Actions will appear. Select the Require Security option to enable IPSec on the selected filter. Click Next to continue. The Authentication Method page will appear. Select the default “Kerberos V5” and click Next. N.B. Kerberos V5 will only work in a domain environment. Click Finish to close the Security Rule Wizard.
The new Rule appears in the policy’s properties page. Click on OK to continue. The new policy is displayed in the Management console. Right-click on the Policy to assign it. Select Assign. The policy has now been assigned. To view a list of options available for IPSec policies right-click on IP Security Policies and select All Tasks. From here Policies can be imported into a file and exported to another machine. Selecting Restore Default Policies will delete any new policies and restore the original three built-in ones.