Configuring Simple IPSec Between SharePoint Servers

IPSec is built into Windows Server 2003 machines and is also available for clients. In fact, basic IPSec functionality can easily be set up in an environment running the Windows Server 2003 Active Directory because IPSec can utilize the Kerberos authentication functionality in lieu of certificates. It is a straightforward process to install and configure IPSec between SharePoint servers or clients and should be considered as a way to further implement additional security in a SharePoint environment.

The procedure outlined in the following sections illustrates the setup of a simple IPSec policy between a SharePoint server and a client on a network. In this example, the SharePoint server is SERVER7, and the client is CLIENT2.

Viewing the IPSec Security Monitor

To view the current status of any IPSec policies, including the ones that will be created in this procedure, the IPSec Security Monitor MMC snap-in on SERVER7 needs to be opened. The MMC snap-in can be installed and configured by following these steps:

1.	Choose Start, Run and type mmc into the Run dialog box. Click OK when complete.
2.	In MMC, choose File, Add/Remove Snap-in.
3.	Click the Add button to install the snap-in.
4.	Scroll down and select IP Security Monitor; then click the Add button followed by the Close button.
5.	The IP Security Monitor MMC snap-in should now be visible, as shown in Figure 15.31. Click OK. Figure 15.31. Adding the IP Security Monitor MMC snap-in.
6.	In MMC, expand to Console Root\IP Security Monitor\SERVER7.
7.	Right-click on SERVER7 and choose Properties.
8.	Change the auto refresh setting from 45 seconds to 5 seconds or less. Click OK when finished. You can then use the MMC IP Security Monitor console to view IPSec data.

Establishing an IPSec Policy on the SharePoint Server

Default IPSec policies are enabled on Windows Server 2003 and newer clients. To access these settings, follow this procedure on SERVER7:

1.	Choose Start, All Programs, Administrative Tools, Local Security Policy.
2.	Navigate to Security Settings\IP Security Policies on Local Computer.
3.	In the details pane, right-click Server (Request Security) and select Assign.

The following three default IPSec policies available allow for different degrees of IPSec enforcement:

Server (Request Security) In this option, the server requests but does not require IPSec communications. Choosing this option allows the server to communicate with other non-IPSec clients. It is recommended for organizations with lesser security needs or those in the midst of, but not finished with, an implementation of IPSec because it can serve as a stop-gap solution until all workstations are IPSec configured. This option does allow for some of the enhanced security of IPSec but without the commitment to all communications in IPSec.
Client (Respond Only) The Client option allows the configured machine to respond to requests for IPSec communications.
Secure Server (Require Security) The most secure option is the Require Security option, which stipulates that all network traffic be encrypted with IPSec. This policy effectively locks out other types of services not running IPSec and should be set only if a full IPSec plan has been put into place.

Establishing an IPSec Policy on the Client

The SharePoint client, CLIENT2 likewise needs to be configured with a default IPSec policy, in a similar fashion to the server policy defined in the preceding section. To configure the client on Windows XP, follow these steps:

Choose Start, All Programs, Administrative Tools, Local Security Policy. (Administrative Tools must be enabled in the Task Manager view settings.)

Navigate to Security Settings\IP Security Policies on Local Computer.

Right-click Client (Respond Only) and select Assign, as shown in Figure 15.32.

Figure 15.32. Creating a Client IPSec policy.

Verifying IPSec Functionality in Event Viewer

After the local IPSec policies are enabled on both CLIENT2 and SERVER7, IPSec communications can take place. To test this, either ping the server from the client desktop, or perform other network tests, such as accessing SERVER7's SharePoint portal site.

A quick look at the IP Security Monitor that was established in MMC on SERVER7 shows that IPSec traffic has been initialized and is logging itself, as shown in Figure 15.33.

Figure 15.33. Viewing IP Security Monitor logging.

In addition to using the IP Security Monitor to log IPSec traffic, the Security log in the Event Viewer on SERVER7 can be used to check for IPSec events. Filter specifically for Event ID 541, which indicates successful IPSec communications, as shown in Figure 15.34.

Figure 15.34. Viewing an IPSec Event log success entry.

These default IPSec policies are useful in establishing ad hoc IPSec between SharePoint clients on a network but are limited in their scope. Enterprisewide IPSec policies can be accomplished through the use of Group Policies, however. Proper planning of an enterprise IPSec implementation is necessary to effectively secure an entire environment using custom IPSec policies.