IPSec and Client Restriction

[Zane]

I have a Windows 2000 AD with Win2KPro and XP clients - I would like to make
sure that all clients are using IPSec communications using GPO to ensure
that any workstations that does not communicate in this matter will not be
able to access network / domain resources - so basically, any machines that
are not part of the domain (joined to domain) will not be able to use ANY
network resource.

Question:

How do I set this up in GPO for Domain - or what are the exact settings do I
need to enable?


I see IP Security Policies on Active Directory and under that...
- Server (Request Security)
- Client (Respond Only)
- Secure Server (Require Security)


A high level explanation of the process would be great - thx. There are the
docs, but I get lost in the lingua of MS docs - just get to the point...

Thanks again!

 

[Ace Fekay [MVP]]

In

I have a Windows 2000 AD with Win2KPro and XP clients - I would like
to make sure that all clients are using IPSec communications using
GPO to ensure that any workstations that does not communicate in this
matter will not be able to access network / domain resources - so
basically, any machines that are not part of the domain (joined to
domain) will not be able to use ANY network resource.

Question:

How do I set this up in GPO for Domain - or what are the exact
settings do I need to enable?


I see IP Security Policies on Active Directory and under that...
- Server (Request Security)
- Client (Respond Only)
- Secure Server (Require Security)


A high level explanation of the process would be great - thx. There
are the docs, but I get lost in the lingua of MS docs - just get to
the point...

Thanks again!

To explain how to set it up is a really long explanation. Matter of fact, in
one of the courses that teaches Win2k and AD material, 2153, there is a
whole module (chapter) devoted to just this with a 45 minute lab. So the
best I can say is try this article below, it has step by steps with
pictures, and see if that helps:

Step-by-Step Guide to Internet Protocol Security (IPSec):
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp

This is a good one too, but no graphics:
How to Configure IPSec Tunneling in Windows 2000 (Q252735):
http://support.microsoft.com/?id=252735

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Zane]

Thanks Ace, with what I am trying to accomplish with IPSec for domain
policy - is this a doable solution or workable solution?

With what I have in mind with IPSec as the technology and the issue I am
trying to resolve, is this a possible method?



Thx.


"Ace Fekay [MVP]"

 

[Tomasz Onyszko]

To be sure what You want to achive - You want to limit access to domain
resources anly for workstation which has correct IPSec policy applied -
I don't think it will work for You in that way.

Solution for You is Network access Quarantine which comes with Windows
2003 and will be slightly improved in the next releases (I don't
remember if it is impreved by SP1 for windows 2003)
Here You will find some overwiev for this mechanism
http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx

Other solution is deploying 802.1x protocol on Your network but it will
need network equipment which supports this technology.

Thanks Ace, with what I am trying to accomplish with IPSec for domain
policy - is this a doable solution or workable solution?

With what I have in mind with IPSec as the technology and the issue I am
trying to resolve, is this a possible method?

and .... returning to the IPSec

Read through the chapters 6 and 7 in this document:
http://www.microsoft.com/technet/Security/prodtech/win2000/secwin2k/relnotes.mspx

Check also this documents:

http://www.securityfocus.com/infocus/1519
http://www.securityfocus.com/infocus/1526
http://www.securityfocus.com/infocus/1528


http://support.microsoft.com/defaul...port/kb/articles/Q254/9/49.ASP&NoWebContent=1
http://support.microsoft.com/defaul...port/kb/articles/Q248/6/94.ASP&NoWebContent=1

http://www.microsoft.com/resources/...tandard/proddocs/en-us/sag_IPSecpolassign.asp

 

[Herb Martin]

How do I set this up in GPO for Domain - or what are the exact settings do
I

need to enable?


I see IP Security Policies on Active Directory and under that...
- Server (Request Security)
- Client (Respond Only)
- Secure Server (Require Security)


A high level explanation of the process would be great - thx. There are the
docs, but I get lost in the lingua of MS docs - just get to the point...

There are three or four key points to understand and after
that you can use the links Ace gave you to (long and detailed)
articles.

1) Those "profiles" above are just the defaults;
you can make your own custom profiles

2) IPSec requires MACHINES to authenticate each other; there
are three methods, but in a DOMAIN the usual is by the domain
accounts and this is called "Kerberos" authentication -- it's the
default in those default profiles too.

3) Those default profiles were (originally) misnamed and the more
USEFUL name is in the parentheses.
At least one of the two machines much be set to "Server" or
"Secure server" to have a REQUEST for IPSec initiated;
The other must be set to SOME IPSec policy to respond to
that request
A "no setting" machine cannot respond and therefore cannot
do IPSec but won't even communicate at all with "secure
server" machines.
4) Custom profiles are based on the same GENERAL concepts as
traffic filtering in 'Sniffers'/netmonitors, firewalls, etc.

Each profile has filters and rules so that if one machine "matches"
another by IP-type, port, range of IPs etc (multiple criteria
allowed)
then the rule will cause one of the actions like "negotiate IPSec"
(or pass or block the packet.)

5) IPSec "wizard" is probably the worlds most confusing wizard since
you are Creating a Policy-->which runs the wizard (in a loop) for
creating "rules"--> each of which runs the wizard (in a loop) for
creatting "filters"-->each of which can choose an "action", and if
the action is IPSec then it has a bunch of properties, like
"authentication
type" etc.

(Most people who do a LOT of IPSec use the command line.)

 

[Sarah Tanembaum]

do


There are three or four key points to understand and after
that you can use the links Ace gave you to (long and detailed)
articles.

1) Those "profiles" above are just the defaults;
you can make your own custom profiles

2) IPSec requires MACHINES to authenticate each other; there
are three methods, but in a DOMAIN the usual is by the domain
accounts and this is called "Kerberos" authentication -- it's the
default in those default profiles too.

3) Those default profiles were (originally) misnamed and the more
USEFUL name is in the parentheses.
At least one of the two machines much be set to "Server" or
"Secure server" to have a REQUEST for IPSec initiated;
The other must be set to SOME IPSec policy to respond to
that request
A "no setting" machine cannot respond and therefore cannot
do IPSec but won't even communicate at all with "secure
server" machines.
4) Custom profiles are based on the same GENERAL concepts as
traffic filtering in 'Sniffers'/netmonitors, firewalls, etc.

Each profile has filters and rules so that if one machine "matches"
another by IP-type, port, range of IPs etc (multiple criteria
allowed)
then the rule will cause one of the actions like "negotiate IPSec"
(or pass or block the packet.)

5) IPSec "wizard" is probably the worlds most confusing wizard since
you are Creating a Policy-->which runs the wizard (in a loop) for
creating "rules"--> each of which runs the wizard (in a loop) for
creatting "filters"-->each of which can choose an "action", and if
the action is IPSec then it has a bunch of properties, like
"authentication
type" etc.

(Most people who do a LOT of IPSec use the command line.)

Could you perhaps give us some examples of setting up Group Policies using
the command line? THanks

 

[Herb Martin]

Could you perhaps give us some examples of setting up Group Policies using

the command line? THanks

The command line is for setting up "IPSec Policies" rather than
GPO.

You could probably do the latter but the tools for IPSec already
exist: IPSecPol.exe, IPSecCmd.exe, and in Win2003 "NetSh.exe".