Using RSoP for IPSec Planning | MCSE Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide and DVD Training System

EXAM 70-293 OBJECTIVE 3.3.1, 5, 5.7

RSoP is a utility provided in Windows Server 2003 for gathering information to help you configure Group Policy in the way that best serves the needs of your network. It functions as a query engine that uses the Common Information Management Object Model (CIMOM) database to store this information.

RSoP is used to sort through the complexities of applying multiple policies and determine the totality of their effects. This is important, because it can be very difficult to predict the outcome when Group Policy is applied at several different levels (site, domain, and OU), and some of those policies conflict.

There are two modes in which RSoP can be used: logging mode and planning mode. Logging mode tells you the effects of the policy settings that are applied to the computer and currently logged-in user. Administrators can use RSoP in planning mode to check existing GPOs and search for all policy settings that can be applied. The results of this search can then be placed in a scenario-based simulation to view how the changes will affect the policies.

Exam Warning

The IPSec extension to the RSoP console is a new feature in Windows Server 2003, so you can expect to encounter one or more exam questions dealing with this topic.

Ideal situations for using the RSoP tool include the following:

Simulating the effect of policy settings on a domain, site, OU, computer, or user
Determining the effective policies for a newly created account in your Active Directory domain
Testing policy precedence, such as the user or the computer in different OUs, the user or the computer in different security groups, and when the user or computer is moving

You can also simulate a slow network or create a network loopback situation. RSoP can provide network administrators with details such as security settings, scripts, Group Policy installation, folder redirection, templates, and Internet Explorer maintenance.

Exam Warning

If you need to use RSoP on a remote computer, you must be a member of the Domain Admins or Enterprise Admins security group, or be granted the Generate Resultant Set of Policy planning rights.

Using the RSoP Wizard

You can use the RSoP Wizard to create an RSoP query on your Windows Server 2003 server. You begin by adding the RSoP snap-in to an empty MMC console. You can also access RSoP through the Active Directory Users and Computers console and the Active Directory Sites and Services console.

To access RSoP planning through the Active Directory Users and Computers MMC and start the RSoP Wizard, do the following:

Select Start | Programs | Administrative Tools | Active Directory Users and Computers.
Right-click the name of the domain or OU and select All Tasks.
Choose Resultant Set of Policy (Planning).

To access RSoP planning through the Active Directory Sites and Services MMC and start the RSoP Wizard, do the following:

Click Start | Programs | Administrative Tools | Active Directory Sites and Services.
Expand the Sites node in the left pane.
Right-click the name of a site and select All Tasks.
Select Resultant Set of Policy (Planning).

To start the RSoP Wizard from a stand-alone RSoP MMC, right-click Resultant Set of Policy in the left pane and select Generate RSoP Data (or select it from the Action menu). The Wizard will display the query results in the RSoP snap-in. You can save, change, or refresh your RSoP queries. You can create more than one query by adding the RSoP snap-in to your console. The information that RSoP gathers comes from the CIMOM database through Windows Management Instrumentation (WMI).

Note

The RSoP Wizard differs depending on which method you use to open RSoP. When you open the RSoP Wizard through the Active Directory Users and Computers or Active Directory Sites and Services console (under Administrative Tools), you can use only planning mode. When you open the Wizard from the RSoP MMC, the first selection you make is whether to use logging or planning mode.

Security and RSoP

Administrators can use RSoP features to determine which particular security policies meet their organization’s needs. You can use RSoP security templates to create and assign security options for one or many computers. You can apply a template to a local computer, and then import that template into the GPO in the Active Directory. After the template has been imported, Group Policy will process the security template and apply the changes to the all members of that GPO. RSoP will also verify the changes that have been made by polling the system and then showing the resultant policy. RSoP can correct a security breach by taking the invalidly applied or overwritten policy setting or the priority policy setting. Group Policy filtering will report the scope of the GPO, based on the security group membership.

Through individual security settings, administrators can define a security policy in Active Directory that contains specific security settings for nearly all security areas. Security settings in a local GPO can establish a security policy on a local computer. When there are conflicts, security settings that are defined in Active Directory always override any security settings that are defined locally.

The RSoP console simplifies the task of determining which IPSec policy is being applied by displaying the following information for each GPO that contains an IPSec policy assignment:

Name of the IPSec policy
Name of the GPO that the IPSec policy is assigned to
IPSec policy precedence (the lower the number, the higher the precedence)
Name of the site, domain, and OU to which the GPO containing the IPSec policy applies (that is, the scope of management for the GPO)

The settings of the IPSec policy with the highest precedence apply in their entirety; they are not merged with the settings of IPSec policies that are applied at higher levels of the Active Directory hierarchy.

Selecting the RSoP Mode for IPSec-related Queries

As mentioned earlier, RSoP can be run in either of two modes: logging or planning. In the following sections, we will take a closer look at the differences between these two modes and help you determine when to use each for queries related to IPSec.

Logging Mode Queries

You can run an RSoP logging mode query to view all of the IPSec policies that are assigned to an IPSec client. The query results display the precedence of each IPSec policy assignment, so that you can quickly determine which IPSec policies are assigned but are not being applied and which IPSec policy is being applied. The RSoP console also displays detailed settings for the IPSec policy that is being applied, including the following:

Filter rules
Filter actions
Authentication methods
Tunnel endpoints
Connection type

When you run a logging mode query, RSoP retrieves policy information from the WMI repository on the target computer, and then displays this information in the RSoP console. In this way, RSoP provides a view of the policy settings that are being applied to a computer at a given time.

Planning Mode Queries

You can run an RSoP planning mode query to view all of the IPSec policies that are assigned to members of a Group Policy container. RSoP will retrieve the names of the target user, computer, and domain controller from the WMI repository on the domain controller. WMI then uses the Group Policy Data Access Service (GPDAS) to create the policy settings that would be applied to the target computer, based on the RSoP query settings that you entered. RSoP reads the policy settings from the WMI repository on the domain controller, and then displays this information in the RSoP console user interface.

You can run an RSoP planning mode query only on a domain controller (when you run a planning mode query, you must explicitly specify the domain controller name). However, you can specify any IPSec client as the target for the query, provided that you have the appropriate permissions to do so.