Deploying and Managing IPSec Policies
Using Group Policy, IPSec policies can be set on a single computer, an entire domain, an entire site, or any AD organizational unit (OU). You can create, modify, and deploy IPSec policies using the IP Security Policy Management Console, as shown in Figure 3.13.
Figure 3.13 You can create, modify, and deploy IPSec policies using the IP Security Policy Management console.
You should be familiar with the following aspects of deploying and managing IPSec policies:
Deploying IPSec using Local Policy objects
Deploying IPSec using Group Policy objects (GPOs)
Deploying IPSec using commands and scripts
Deploying IPSec certificates
Deploying IPSec Using Local Policy Objects
You can configure the properties of IPSec and create rules using the Local Security Policy Microsoft Management Console (MMC), as shown in Figure 3.14, on Windows 2000 Professional and all later clients and on member servers. The Local Security policy is located in Administrative Tools. Any policy defined in a Group Policy will override any policy that is deployed only to the local computer. In other words, if the computer is part of an AD, the IPSec policies defined in Group Policy that apply to its container will override its local policy.
Figure 3.14 You can configure IPSec in the Local Security policy of a client or member server.
Deploying IPSec Using Group Policy Objects
IPSec polices are one of the security settings in each GPO. You can use Group Policy to configure IPSec for an entire domain, an entire site, or selected OUs. Group Policies are processed in the order of local, site, domain, OU, and finally child OU, and any IPSec policies that conflict will be overridden by the next level of processing. In other words, the IPSec policies that will ultimately apply will be only those that are applied to the container in which the object actually resides as well as any policies that did not conflict in the entire processing order. Figure 3.15 shows IPSec settings in a GPO.
Figure 3.15 You can configure IPSec within GPOs.
Deploying IPSec Using Commands and Scripts
If all of the computers on which you are running IPSec are part of the Windows Server 2003 family, you can deploy IPSec using the netsh ipsec command. This method of deployment can be useful when you want to script the IPSec configuration and run the same script on multiple servers. It also provides some advanced fine-tuning for management and security that is not available in the GUI mode.
You can choose from two major types of commands. You make your choice based on whether you are creating a new policy that be immediately effective or creating a policy that will be applied later. The two major types of netsh ipsec commands are as follows:
Netsh ipsec static
Netsh ipsec dynamic
Netsh ipsec static
You can use netsh ipsec static commands to create, modify, and assign IPSec policies without immediately affecting the active IPSec policies. This is very much like creating a new policy and new rules within the GUI and not immediately assigning the policy. To view the netsh ipsec static commands, type netsh ipsec static /? at a command prompt.
Netsh ipsec dynamic
You can use netsh ipsec dynamic commands to display the active state of IPSec and to immediately affect the configuration of the active IPSec policy. You use dynamic commands to directly configure the security policy database (SPD). To view the available netsh ipsec dynamic commands, type netsh ipsec dynamic /? at a command prompt.
Most dynamic commands take effect immediately, but some require you to restart the IPSec Policy Agent or restart the computer.
Deploying IPSec Certificates
As mentioned previously, IPSec can use one or more of three authentication methods. These include Kerberos V5, preshared keys, and certificates. You can only use Kerberos if all of the computers to be authenticated are part of your AD. You should only use preshared keys if absolutely necessary. This means that certificates should be used the balance of the time.
To be more specific, you should use certificates whenever communications include Internet access, remote access, external business partners, or computers in your network that cannot use the Kerberos V5 protocol. The use of certificates will require at least one certification authority (CA). This authority can be set up in your own hierarchy or can be a commercial CA. You can use the certification authority and Group Policy provided by Windows Server 2003 to automatically enroll certificates for computers on your network, and computers outside of your network require a third-party CA (such as VeriSign) and manual account mapping for the certificates used. Account mapping maps the computer certificate to a particular computer account, which can be within your organization or another organization.
Microsoft clients and servers prior to Windows 2000 do not use the Kerberos protocol.