Implementing IPSec-Encrypted Transport Communications

IPSec encryption provides a security system that encrypts communications from a server to a workstation client system. Rather than using a shared key described earlier in this text, the use of Kerberos encryption managed by an Active Directory group policy provides a simple method of encrypting communications between client systems and servers.

Note

In this case we're using Kerberos for the encrypted authentication method instead of certificates. The reason is that Active Directory does not store a central directory of user certificates that can be distributed by Group Policy for automatic IPSec configuration. However, Windows Active Directory does provide Kerberos for automatic IPSec configuration, so in this case, Windows Kerberos is the better solution for automating IPSec-encrypted communications.

Creating a Group Policy for IPSec Encryption for the Server

Assuming the server for this test implementation is a domain controller, we can simply edit the Default Domain Controller group policy to represent the group policy object for the server. In a production environment, you may choose to create an Organization Unit (OU), place servers into the server container, and then apply the following group policy specifically to the OU. However, to proceed with the assumption that the policy will apply to the Default Domain Controller group policy, do the following:

1.	Launch the Active Directory Users and Computers tool by selecting Start \| Programs \| Administrative Tools and choosing Active Directory Users and Computers.
2.	Right-click on the Domain Controllers container of the network (such as `companyabc.com`) and choose Properties.
3.	Click on the Group Policy tab.
4.	Highlight the Default Domain Controller Policy and click Edit.
5.	Under the Windows Configuration container, expand the Windows Settings folder.
6.	Expand the Security Settings folder and then click on IP Security Policies so your screen will look something like Figure 16. Figure 16. IP Security Policies for Default Domain Controllers.

7.	Click on the Server (Request Security) item, and then right-click Properties.
8.	Click on All IP Traffic to highlight the item, and then click the Edit button.
9.	Click the Authentication Methods tab, and then click the Edit button.
10.	Select the Active Directory default (Kerberos V5 protocol) option.
11.	Click OK \| OK \| Apply, and then click OK to set the IPSec server setting.
12.	Right-click on the Server (Request Security) option again and select Assign so that the IP Security Policy Assigned notes Yes.

This policy will be set for all domain controllers on the network. Dropping to the DOS prompt and typing GPupdate/Force will initiate this policy to the domain controller server system.

Creating a Group Policy for IPSec Encryption for the Client

Applying a group policy to clients is the same as applying a group policy to the servers. However, you want to create a policy that will apply to the laptops and desktops of the network and not on the servers. This is typically done by creating an Organizational Unit (OU) and then placing the workstations into the container. To create a group policy for IPSec encryption on a client system, do the following:

1.	Launch the Active Directory Users and Computers tool by selecting Start \| Programs \| Administrative Tools and choosing Active Directory Users and Computers.
2.	Right-click on the forest name of the network (such as `companyabc.com`) and choose New \| Organizational Unit.
3.	Enter the name of the OU into which you will be placing the workstations. An example might be `C-SanFrancisco`, meaning a container holding San Francisco computers.
4.	Right-click on the OU container you just created, and choose Properties.
5.	Click on the Group Policy tab.

6.	Click on New and give the new group policy a name (for example, `C-OU-SF-Security`, meaning a computer policy for the San Francisco OU that addresses security policy items).
7.	Highlight the new policy, and then click Edit.
8.	Under the Windows Configuration container, expand the Windows Settings folder.
9.	Expand the Security Settings folder, and then click on IP Security Policies.
10.	Click on the Client (Respond Only) item, and then right-click Properties.
11.	Click on the <Dynamic> IP Filter item to highlight it, and then click the Edit button.
12.	Click the Authentication Methods tab, and then click the Edit button.
13.	Select the Active Directory default (Kerberos V5 protocol) option.
14.	Click OK \| OK \| Apply, and then click OK to set the IPSec setting.
15.	Right-click on the Client (Respond Only) option again and select Assign so that the IP Security Policy Assigned notes Yes.

This policy will be set for all workstations that are in this OU. Dropping to the DOS prompt on a workstation and typing GPupdate /Force will initiate this policy for the workstations.

Confirming That IPSec-Encrypted Communications Is Working

To confirm that IPSec-encrypted communications is working, run the IP Security Monitor to view the traffic between devices. To run the IP Security Monitor, do the following:

1.	Launch the IP Security Monitor Microsoft Management Console (MMC) by clicking Start \| Run and typing `mmc.exe`; then click OK.
2.	Click File \| Add/Remove Snap-in, and then click Add.
3.	Select IP Security Monitor, and then click Add.
4.	Click Close, and then click OK.
5.	Expand the IP Security Monitor console.
6.	Expand the server you are monitoring.

7.	Click to expand the Quick Mode, and then click on the Security Associations folder to view the connections (both encrypted and unencrypted) as shown in Figure 17. Figure 17. Monitoring encryption operations with the IPSec monitor.

Note

Connections that are encrypted will show ESP Confidentiality with 3DES or another encryption method noted for the connections setting. Because the server is configured with requested security and not required security in this example, you can have some connections that have <None> as the ESP Confidentiality (note that those connections are not encrypted).

Creating a Group Policy for IPSec Encryption for the Server

Figure 16. IP Security Policies for Default Domain Controllers.

Creating a Group Policy for IPSec Encryption for the Client

Confirming That IPSec-Encrypted Communications Is Working

Figure 17. Monitoring encryption operations with the IPSec monitor.