Objective 3.3: Deploy and Manage IPSec Policies

IPSec policies can be deployed in two ways. The first way is to use Group Policy objects or local policy objects with IPSec policy set within. Group Policy objects can be applied at the site, domain, and organizational unit levels with the usual rules of inheritance. Local Group Policy only applies to a specific computer and is overridden by any Group Policy object applied at a higher level.

The second way that IPSec policies can be deployed is by means of scripting by using the netsh command. The netsh command can be used to automatically generate complex IPSec policies. This technique is useful to administrators of standalone Windows Server 2003–based computers who cannot deploy IPSec policy by means of GPOs. The IPSec context of the netsh command can be entered by performing the following steps:

• Run a command prompt.

• Enter the netsh command.

• Enter the IPSec context by entering ipsec.

IPSec policies can be managed by using the netsh command in the IPSec context or the IPSec Monitor snap-in for the Microsoft Management Console. Both tools provide information such as how traffic is being authenticated and which hosts have security associations. Both tools also display which IPSec policy is currently in effect. It is important to remember that only one IPSec policy can be applied at a time and that they are not cumulative. When multiple policies are deployed by means of Active Directory, only the policy applied last will have influence over a computer.