Configuring Simple IPSec Between Servers in a Windows Server 2003 Domain


IPSec is built into Windows Server 2003 machines and is also available for clients. In fact, basic IPSec functionality can easily be set up in an environment that is running Windows Server 2003's Active Directory because IPSec can utilize the Kerberos authentication functionality in lieu of certificates. Subsequently, it is a fairly straightforward process to install and configure IPSec between servers and workstations, and should be considered as a way to further implement additional security in an environment.

The procedure outlined in the following sections illustrates the setup of a simple IPSec policy between a Web server and a client on a network. In this example, the Web server is SERVER7 and the client is CLIENT2.

Viewing the IPSec Security Monitor

To view the current status of any IPSec policies, including the ones that will be created in this procedure, the IPSec Security Monitor MMC snap-in on SERVER7 must be opened. The MMC snap-in can be installed and configured by following these steps:

1.

Choose Start, Run and type mmc into the Run dialog box. Click OK when complete.

2.

In MMC, choose File, Add/Remove Snap-in.

3.

Click the Add button to install the snap-in.

4.

Scroll down and select IP Security Monitor; then click the Add button followed by the Close button.

5.

The IP Security Monitor MMC snap-in should now be visible, as illustrated in Figure 13.7. Click OK.

Figure 13.7. Adding the IP Security Monitor MMC snap-in.


6.

In MMC, expand to Console Root\IP Security Monitor\SERVER7.

7.

Right-click on SERVER7 and choose Properties.

8.

Change the auto refresh setting from 45 seconds to 5 seconds or less. Click OK when finished. You can then use the MMC IP Security Monitor console to view IPSec data.

Establishing an IPSec Policy on the Server

Default IPSec policies are enabled on Windows Server 2003 and newer clients. To access these settings, follow this procedure on SERVER7:

1.

Choose Start, All Programs, Administrative Tools, Local Security Policy.

2.

Navigate to Security Settings\IP Security Policies on Local Computer.

3.

In the details pane, right-click Server (Request Security) and select Assign.

The following three default IPSec policies available allow for different degrees of IPSec enforcement:

  • Server (Request Security) In this option, the server requests but does not require IPSec communications. Choosing this option allows the server to communicate with other non-IPSec clients. It is recommended for organizations with lesser security needs or those in the midst of, but not finished with, an implementation of IPSec because it can serve as a stop-gap solution until all workstations are IPSec configured. This option does allow for some of the enhanced security of IPSec but without the commitment to all communications in IPSec.

  • Client (Respond Only) The Client option allows the configured machine to respond to requests for IPSec communications.

  • Secure Server (Require Security) The most secure option is the Require Security option, which stipulates that all network traffic be encrypted with IPSec. This policy effectively locks out other types of services that are not running IPSec, and should be set only if a full IPSec plan has been put into place.

Establishing an IPSec Policy on the Client

CLIENT2 will likewise need to be configured with a default IPSec policy, in a similar fashion to the server policy defined in the preceding section. To configure the client on Windows XP, follow these steps:

1.

Choose Start, All Programs, Administrative Tools, Local Security Policy. (Administrative Tools must be enabled in the Task Manager view settings.)

2.

Navigate to Security Settings\IP Security Policies on Local Computer.

3.

Right-click Client (Respond Only) and select Assign, as illustrated in Figure 13.8.

Figure 13.8. Creating a Client IPSec policy.


Verifying IPSec Functionality in Event Viewer

After the local IPSec policies are enabled on both CLIENT2 and SERVER7, IPSec communications can take place. To test this, either ping the server from the client desktop, or perform other network tests, such as accessing SERVER7's Web page or file shares.

A quick look at the IP Security Monitor that was established in MMC on SERVER7 shows that IPSec traffic has been initialized and is logging itself, as you can see in Figure 13.9.

Figure 13.9. Viewing IP Security Monitor logging.


In addition to using the IP Security Monitor to log IPSec traffic, the Security log in the Event Viewer on SERVER7 can be used to check for IPSec events. Filter specifically for Event ID 541, which indicates successful IPSec communications, as shown in Figure 13.10.

Figure 13.10. Viewing an IPSec Event log success entry.


These default IPSec policies are useful in establishing ad hoc IPSec between clients on a network, but are limited in their scope. Proper planning of an enterprise IPSec implementation is necessary to effectively secure an entire environment using custom IPSec policies.




Microsoft Windows Server 2003 Unleashed(c) R2 Edition
Microsoft Windows Server 2003 Unleashed (R2 Edition)
ISBN: 0672328984
EAN: 2147483647
Year: 2006
Pages: 499

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net