Configuring IPSec Policies Through GPO

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 3

As written in previous articles (see related articles at bottom of page), Windows 2000/XP/2003

machines have a built-in IP security mechanism called IPSec (IP Security). IPSec is a protocol
that’s designed to protect individual TCP/IP packets traveling across your network by using
public key encryption. Besides encryption, IPSec will also let you protect and configure your
server/workstation with a firewall-like mechanism.
When working on one single computer you can easily set up and assign IPSec Policies either
from the Command Prompt by using the NETSH command, or from an MMC console that's
loaded with the IP Security snap-in.
However when working with more than one computer, one might need a better way than going
through each computer and re-configuring the IPSec Policy. We need a method in which we can
use the same IPSec Policy on multiple computers, or at least have the same policy set up on a
number of computers.
One method of configuring many computers to use the same IPSec Policy is to perform
Exporting and Importing IPSec Policies. However in this article we will use the second method -
use of Active Directory Group Policy Objects (or GPOs).
Important: Several features in the Windows Server 2003 family implementation of IPSec are
not provided in Windows 2000 or in Windows XP. To ensure that the same IPSec policy
functions as expected on computers running the Windows Server 2003 family and on computers
running Windows 2000 or Windows XP, test the policy thoroughly on all relevant operating
systems before deployment. If you plan to apply IPSec policies that use the new features that are
available only in the Windows Server 2003 family implementation of IPSec, do not use the
Windows 2000 or the Windows XP version of the IP Security Policy Management console to
manage these policies. The settings in the earlier versions of the IP Security Policy Management
console will override the settings in the Windows Server 2003 family IPSec policy, and the new
features will not be functional.
Lets say you want to block PING traffic for a set of computers. In order for this tip to work, you
need the following to be true:
• An exiting Active Directory infrastructure (working with no errors, duh...).
• All computers that need to be configured must be running Windows 2000 or higher.
• An OU where the computer accounts should be placed. If no OU is applicable for your
situation, you'll need to configure the GPO on the Domain level, and thus affect all the
members in the domain. That's why I suggest creating an OU and placing the computer
accounts in it.
Next we need to configure IPSec Policies inside the GPO. We can do so by editing the GPO, and
manually configuring the IPSec Policy, just like you did in Block Ping Traffic with IPSec. The
only difference is that here you're editing the IPSec policies as a part of a larger GPO, not just for
the local computer.
If all the above exists we can now begin the configure the GPO.
1. Open Active Directory Users & Computers. Right-click the domain (or an OU if you
want to only configure a specific set of computers). Choose Properties.
1. In the Properties window click the Group Policy tab. Click New to configure a new GPO
(if you don't have one set for that OU already). Give it a descriptive name, such as Secure
Services.
Note: If you're configuring a Windows Server 2003 DC computer that has GPMC installed (read
Download GPMC), you can shorten this action by simply opening the Group Policy
Management snap-in from the Administrative Tools and selecting your desired GPO.
3. Click Edit to edit the GPO.
3. Navigate to Computer Settings > Windows Settings > Security Settings > IP Security
Policies on Active Directory. You can now manually configure the IPSec Policy. See
Block Ping Traffic with IPSec for examples.

Or, if already configured, import it as an .IPSEC file.

3. After the new IPSec Policy is in place, right-click it and select Assign.

6. In order for the changes to take place, either reboot the client computers or refresh their
computer policy. Run the following command:
secedit /refreshpolicy machine_policy /enforce
In Windows XP and Windows Server 2003 you should type
gpupdate /force
When assigning an IPSec policy in Active Directory, consider the following:
• The list of all IPSec policies is available to assign at any level in the Active Directory
hierarchy. However, only a single IPSec policy can be assigned at a specific level in
Active Directory.
• An IPSec policy that is assigned to an organizational unit in Active Directory takes
precedence over a domain-level policy for members of that organizational unit.
• An IPSec policy that is assigned to the lowest-level OU in the domain hierarchy overrides
an IPSec policy that is assigned to a higher-level OU, for member computers of that OU.
• An OU inherits the policy of its parent OU unless either policy inheritance is explicitly
blocked or policy is explicitly assigned.
• IPSec policies from different organizational units are never merged.
• The highest possible level of the Active Directory hierarchy should be used to assign
policies to reduce the amount of configuration and administration required.
• An IPSec policy might remain active even after the Group Policy object to which it is
assigned has been deleted. Because of this, you should unassign the IPSec policy before
you delete the policy object. To prevent problems, use the following procedure:
1. Unassign the IPSec policy in the Group Policy object.
2. Wait 24 hours to ensure that the change is propagated.
3. Delete the Group Policy object.
If you delete the Group Policy object without following this procedure, computers in the Active
Directory container to which the IPSec policy is assigned treat the IPSec policy as if it cannot be
located and continue to use a cached copy.
• Before assigning an IPSec policy to a Group Policy object, verify the Group Policy
settings that are required for the IPSec policy. For example, if an IPSec policy requires
certificate authentication, assign the Group Policy settings that allow computers to enroll
for certificates (usually one or two days before you assign the IPSec policy that requires
use of the computer certificate). In addition, you should test the certificate enrollment
process and resolve any errors before assigning the IPSec policy.

You might also like