Use IPSec to manage connections

Get a glimpse inside Roberta Bragg's book "Hardening Windows Systems" with this series of book excerpts. Below is the introductory excerpt from Chapter 11, "Harden Communications." Click for the complete book excerpt series or purchase the book.

Use IPSec to Manage Connections

In the preceding example, a policy was created that requires all communications between computer A and computer B to be encrypted. It also is a policy that manages connections. Although communications with other computers are unaffected, the policy does restrict communications between computer A and computer B.

IPSec policies can do more than control whether or not two computers must encrypt information sent between them. Polices can manage connections in other ways:

• Block all communications from a specific IP address, or range of IP addresses.


• Block all communications over a specific protocol/port.


• Permit communications from a specific IP address or a range of IP addresses.


• Permit communications over a specific protocol/port.


• Negotiate communication in terms of these items as well as in terms of the ability of a computer to use specified encryption, authentication, and integrity choices.

To use IPSec policies for these features, create a policy using the preceding steps but use the following adjustments.

When adding filters (see step 7) instead of using the IP address information described, use the destination and source IP address information required. In Windows Server 2003, in addition to naming a specific IP address or a specific IP subnet, you may select DNS, DHCP, WINS, or default gateway information. (The computer's TCP/IP configuration information will be used to supply the IP address of the servers from which IP addresses will be used.) Choices in Windows 2000 are more limited.

When adding filters, after managing IP address information, select the Protocol tab on the IP Filter Properties page. Use the Select a Protocol Type drop-down box to select a protocol. Use the Set the IP Protocol Port buttons and text box to set specific boxes. Figure 11-1 shows the configuration to filter on the Telnet protocol.

• Make as many filters as you want, but remember that only one filter action can be selected per rule. If you need to write a policy that blocks all telnet communications to a server but allows an encrypted telnet session from a specific computer, you will need two rules.


• Use the Filter Action page to select the filter action for the rule, or to add a filter action. The Permit filter action is present, for example, but the Block filter action is not.

Use IPSec to Prevent Connections from Rogue Computers

If an IPSec policy requires certificate authentication, and certificate distribution is controlled, then rogue computers can be prevented from connecting to network resources. This type of policy does not specify encryption or integrity. Instead, it simply requires that each computer authenticate using a certificate. If you implement

Figure 11-1. Use the IP Filter property pages to identify specific protocols.

a Windows Enterprise Certification Authority and configure automatic certificate enrollment for computers, all computers joined in the domain will have the certificate. Rogue computers, those computers brought from home by employees or brought along by contractors, vendors, and visitors, will not be able to authenticate to protected resource computers on your network.

To protect computers, create a domain IPSec policy that requires certificates for authentication but does not require anything else.

1. Right-click the IP Security Policies on Local Computer container and select Create an IP Security Policy.
2. Click Next on the Welcome page.
3. Enter a name for the policy and click Next.
4. Uncheck Activate the Default Response Rule.
5. Click Next; then click Finish.
6. Click Add to add a filter, and then select the Protocol page. Select All IP Traffic. Examine this filter list by clicking the Edit button. Note that it matches all traffic with the exception of broadcast, multicast, Kerberos, RSVP, and ISAKMP. You can write a more specific rule to block all traffic if you wish. Click Close to close the page.
7. On the New Rule Properties, select Authentication Methods.
8. Click Add.
9. On the Authentication Method page, select Use a Certificate from This Certification Authority (CA).
10. Use the Browse button to select a copy of the CA certificate. (The Browse button defaults to the Enterprise Trust certificate store of the local computer; you must make sure that a copy of the appropriate CA certificate is in the store of each computer.) Click OK.
11. Select the Filter Action page.
12. Click Add to add a new filter action.
13. Select Negotiate Security.
14. Click Add to create a Security Method.
15. Select Custom, and then select Settings.
16. Click to deselect Data Integrity and Encryption (ESP) and select Data and Address Integrity Without Encryption (AH) as shown in the following illustration. Then click OK.

17. Select the General page and enter a name, Authentication for the new Filter action. Then click OK.
18. Select Authentication and click Close; then click OK to close the policy.
19. Assign the policy to all domain computers after testing.

Protect IPSec-Protected Computers During Startup

When IPSec is used to protect communications, there is a brief period of time during computer startup when network connections are possible and yet IPSec is not enforced. This is the point after which the TCP/IP driver and the IPSec driver have started, but the IPSec Policy Agent service has not yet started and applied the local- or domainconfigured IPSec policy. To protect computers during this critical time, you can set the computer startup mode to block and set a persistent IPSec policy. Persistent policies are in effect whether or not IPSec policies managed by the IPSec Policy Agent are.

Set Computer Startup State To set the computer startup state to block, use the following netsh command:

netsh ipsec dynamic set config bootexemptions value=tcp:0:3389:inbound

In some cases, you may want to be able to manage the computer (for recovery, for example) by using the Remote Desktop for Administration. You can set this capability by using this command. You must then create a persistent policy that will negotiate the connection between the computer and the administration station.

Set Persistent Policy To set a persistent policy, you must use the netsh command. It is not possible to do so using the GUI. A persistent policy is in effect as soon as the IPSec driver starts. You can use such a policy to block all communications, then, in your IPSec policy, Allow the communications required for the specific computer. Creating a persistent policy consists of two steps. First, create an IPSec policy using netsh and assign it. Next, set the policy to be persistent.

A full discussion and tutorial on using netsh to create IPSec policies is beyond the scope of this book. Commands for assigning and making the policy persistent follow.

To assign a policy named blockall:

set policy name=blockall assign=yes

Make the policy persistent:

set store location=persistent

Click for the next excerpt in this series: Protect WAN Communications.